Monday, 13 September 2021

Refreshing Your BCDR Plans: Is Now the Time?

We’ve all had a crash course in BCDR in the last eighteen months. But does that mean that we should now be reviewing our existing plans?


We’ve all had a crash course in business continuity and disaster recovery in the last eighteen months: why it’s important, what needs to be put in place, all those knock-on effects… But does that mean that we should now be reviewing existing BCDR plans?

Is now a good time to review your business continuity and disaster recovery plans? Well, let’s look at that question another way: when was the last time you refreshed your BCDR plans? And how much has changed since then?

For most of us, BCDR plans need updating for two key reasons:

• New risks

• Changes to operations

The trends making a BCDR refresh essential

From a business continuity perspective, how many of the following trends affect your organisation?

• Changed working practices (working from home, etc)

• New systems, processes or ways of working

• Increased risk of staff off sick or with compassionate leave

• Supply chain pressures resulting from COVID-19 and Brexit

For many businesses, the COVID effect is a double whammy for BCDR. It’s created a significantly changed operational and IT landscape. And it’s made reviews of existing plans difficult because of the time being taken up by essential COVID response.

Now, as we emerge from the latest series of lockdowns, supply chain challenges are throwing a further spanner in the works. With a supply chain already under pressure from the pandemic, the challenges arising from Brexit are creating a whole new set of challenges for operations and business continuity planning.

Together, these conditions make an update to existing BCDR plans critical.

The need to update plans

We’ve written in the past about how to create effective BCDR plans. While business continuity planning considers all the aspects of the business that are essential to effective operations, the risks that might disrupt or halt them, and how to mitigate those risks, disaster recovery planning outlines the processes that need to be undertaken to restore operations if the worst should happen.

The key to a good BCDR plan is a careful look at what processes (and therefore systems) are critical to the functioning of the organisation.

Bear in mind that, if the last time you looked at BCDR was pre-pandemic, a lot has probably changed in the interim. While the basics of BCDR planning remain the same, it is useful to consider the following factors:

New work-from-home arrangements: how do you plan for a distributed workforce with remote working capabilities?

• The use of new tools, such as video conferencing.

• The changed threat landscape and new risks to business continuity.

• Learnings: what have you learnt from the response to COVID-19? How can you apply this learning to the development of future BCDR planning?

Once you understand what the critical processes now are, from a disaster recovery point of view, you can start setting appropriate recovery point objectives (RPO) and recovery time objectives (RTO).

While you may already have set out these objectives in earlier BCDR planning, it’s a good idea to revisit these as well with the business. With so much in a state of flux during the pandemic, RPOs and RTOs may need to be adjusted. Not least because of what has been learnt about critical business processes during the pandemic!

Considering new ways of working

Many workers are reluctant to give up the advantages of the new work-from-home arrangements that evolved in response to the pandemic lockdowns. What was, in March 2020, a hurriedly-cobbled-together plan B today persists as a desirable plan A for many workers.

So how do you protect data, access to applications and the continued supply of power and connectivity to a distributed workforce, most of whom are using consumer-grade broadband and some of whom still have only consumer-grade security?

We’ve written about how to improve security for remote workers in previous blog posts – an urgent matter that demands immediate action. Implementing these measures should make disruption less likely.

While prevention is better than the cure, your BCDR plans need to consider: what are the new risks that arise from remote working arrangements? And how do we mitigate them? And what can we put in place to ensure continuity if those mitigations fail?

Managing new risks

A lot has been said about the changing attack vectors and the growing number of cyber attacks since the start of the pandemic lockdowns. Phishing has been on the rise. Hackers have tried to exploit the new weakest links to your corporate network – unsecured home devices on the networks of your employees. And new attack vectors, such as video-conferencing attacks, have emerged. According to Acronis, 39% of companies reported a video-conferencing attack last year.

Before you begin your BCDR planning, ask yourself how your security arrangements reflect these changing patterns: what new hardware is being used across the business? How are you helping workers secure their home networks and home devices (whether issued by you or not)? How are you protecting access to your network? What new software tools have been introduced? How secure are they? Are staff using the approved solutions? To what extent is shadow IT a problem?

There is a lot of work you can do in advance to improve security that will impact on your BCDR planning. If you can close down or mitigate risk, this can help you to make BCDR arrangements that really are last resort, rather than highly likely to be actioned.

Applying what you learnt during COVID-19

Perhaps the most satisfying thing we learnt during the pandemic was how quickly organisations, suppliers, teams and individuals can move when necessity arises. All in all, we’ve shown ourselves to be adaptable and pretty good at keeping the show on the road.

There have be numerous examples of organisations who have packed several years of digital transformation into a few months or even weeks so that they may remain operational through the last difficult year and a half.

Yes, these changes will have an impact on RTOs and RPOs and other aspects of your BCDR but, ultimately, they represent a good news story: in these ways, we have all demonstrated how adaptable and resilient we can be.

Finally, remember that BCDR best practice requires the regular updating of plans; this won’t be the last time you do this! And, more than anything, BCDR best practice requires the effective testing of your plans. After all, if you don’t know it works, you can’t rely on it.

Need help?

Read more about how to ensure the success of your BCDR plans.

If you would like help or advice concerning any of the topics mentioned in this article – whether protecting a work from home workforce, beefing up cyber security, planning for business continuity and disaster recovery, or anything else – please get in touch with the Grant McGregor team.

We’re always on hand to answer your questions. Reach us below:

Book a 15-minute chat  >>>