Creating a Business Continuity Plan for Your Customers

Data loss is a very real threat to business operations worldwide. However, many small to medium-sized companies often view protective or proactive actions as unnecessary.

For MSPs, it is important to be more than a reseller or service provider. It is equally necessary to become a business partner that can identify risks and threats and can recommend proactive actions and solutions to protect business operations if a disaster occurs.

Financial damage from infection and data loss continues to rise, costing businesses worldwide billions of dollars per year. In the last two years, attacks on small and medium businesses have become more prevalent, with an average ransomware payout increasing to more than $110,000.

Virus infections are not the only threat to business continuity. Physical hardware failures and human error can be equally costly and disruptive. Although server and network hardware have become far less likely to fail, the possibility cannot be ignored.

Business Continuity Plan vs. Disaster Recovery Plan

When talking about the approaches businesses take in order to keep up and running in the event of a disaster, we often use the terms disaster recovery plan (DRP) and business continuity plan (BCP) interchangeably. In reality, although these two concepts are quite similar, there is also a significant difference between them.

A business continuity plan is a broad set of actions used to ensure that a company can continue to operate during a disruptive event in general. It focuses on the business as a whole, but drills down to specific scenarios that create risks for critical operations. Usually, it’s a written document that includes a list of critical supplies, employee contact information, a list of crucial business functions, copies of important records, and a lot more.

A disaster recovery plan can be considered to be a more focused, specific part of a business continuity plan. It refers to the steps and technologies for recovering from a disruptive event, such as lost data or failure of infrastructure or other technological components. The DRP is usually focused on the needs of the IT department.

But it goes without saying that both of these elements are important to have in place because businesses face a wide range of issues - both natural disasters and man-made threats - that may hinder their ability to function.

To learn more about the difference between the concepts of business continuity and disaster recovery, refer to our article:

Further reading Business Continuity vs Disaster Recovery

How to Build an MSP Business Continuity (BCDR) Plan

Business continuity (BC) refers to a business's ability to continue operating during or following an unexpected disruption. Disruptions include events such as the loss of power to a data center, the loss of data as a result of the failure of a disk, or a DDoS cyberattack that makes servers temporarily unavailable.

Business continuity can involve the entire business or just part of it. If one department's files are lost, that creates a business continuity challenge for that department that must be addressed, even if other units of the organization are not impacted.

Let’s take a look at the most essential concepts that can help you build an efficient business continuity plan for your clients:

#1 Resilience, Recovery, and Contingency

Businesses have to be equipped with tools, technologies, processes, and leadership vision to tackle disasters as and when they strike. They can minimize their losses only if they can rise to the situation and continue to operate effectively even in the event of a catastrophe.

Resilience focuses on:

• Identifying critical elements of business
• Mitigating risks
• Engineering systems for high availability and the capability to recover quickly
• Ensuring business reverts to normalcy as soon as possible after disaster strikes

Recovery focuses on:

• Relocating systems, if needed
• Planning to ensure optimized use of limited resources in a situation of disaster
• Creating backups
• Determining the level of availability/performance for systems to be deemed “recovered”

Contingency planning focuses on:

• Developing a contingency planning policy
• Conducting business impact analysis (BIA)
• Putting preventive controls in place
• Creating contingency strategies
• Developing a contingency plan for information systems
• Ensuring planning, testing, training, and drills
• Ensuring plan maintenance and upgrades

By building resilience, recovery, and contingency into the BCP, you can significantly reduce the downtime of a business.

#2 Business Impact Analysis (BIA)

Business impact analysis plays a pivotal role in BCP. The steps involved in creating a BIA are simple.

• The first step is to gather information around the kind of threats that an organization is vulnerable to.
• The next step is to associate each of these calamities with a probability factor.
  Rank them in descending order.
• According to the nature of the hazard, prepare a detailed report with regard to the type, possible aftereffects, and how to cope in such an event.
• After signing this off with the senior folks of the organization, a BIA is set in place.

#3 Recovery Time Objective

In the event of a hazard, it is essential to recover any data that is lost in the process. Recovery time objective (RTO) refers to the maximum time allowed to restore a business or a website to its fully functional mode after a disaster, such that the downtime remains “tolerably” low.

The lower your process’s tolerance of downtime, the shorter the RTO becomes.

Further reading Recovery Time Objective (RTO)

#4 Recovery Point Objective

Recovery point objective (RPO) is a measure of how up-to-date the recovered files must be in order to ensure normal operations. RPO is expressed in elapsed time, with reference to the moment at which the disaster/downtime occurs. The unit of measure is hours or minutes.

A low number of this metric indicates a robust BCP.

Further reading Recovery Point Objective (RTO)

#5 Roles and Responsibilities

A BCP is effective only when the team that manages it is clear on the different roles that must be played, and who plays which role when the disaster strikes.

Your business continuity plan is a living document and must be regularly updated. The relevant teams must be well aware of the latest version of the plan, and any changes in roles and responsibilities it implies.

To make sure everybody is equipped to perform their respective roles, conduct dry runs, simulations, and plan reviews within team members.

#6 Recovery Procedures and Checklists

Recovery procedures are a set of documents that explain how to cope with a disaster and recover from its aftereffects.

It specifically focuses on the IT department and covers rules such as keeping the server room safe from fire and physical damage and having a proper backup for easy restoration of data.
It also involves regular inspections and scouring for possible vulnerabilities to keep the company’s IT ecosystem safe.

Checklists are the ideal planning documents to help executives ensure that their organization’s IT systems comply with the recovery procedures.

#7 Response and Recovery Log

Response and recovery logs refer to documents that record the details of the hazard.

A response log registers:

• The type of hazard
• Who/what was affected
• The damage incurred
• The plan that was followed

The recovery log records:

• How long it took for the business to restore itself to normalcy
• The steps carried out
• A breakdown of the different operations and their recovery times

#8 Change Management, and Business Continuity and Disaster Recovery (BCDR) Testing

Any disaster management plan is effective only when it is subject to continual testing and improvement.

Further reading Disaster Recovery Testing

The same holds for BCDR testing. Some of the methods that can be implemented to test the effectiveness of a BCDR plan are:

Review
The BCDR plan has to be reviewed multiple times and with different stakeholders to assess its effectiveness and usefulness.

Seek assistance from disaster management experts who will be able to see through any loopholes and fine-tune it.

Simulation
Mock drills of the disaster recovery process are a great way to prep the staff for any unanticipated hazard. This will also help identify any bottlenecks in the existing plan and make it robust.

Tabletop Test
In this process, the disaster management team goes through every step of the BCP with every staff member. This ensures that everyone is armed to face any calamity. It also helps in identifying people who may not have enough information, so that they can be trained to deal with the hazard.

#9 Latest Business Continuity Standards

Irrespective of the scale of the hazard, business downtime means loss of time and money. As the nature of threats keeps on changing, so does the state of business continuity standards.

• ISO 22301 is a management system process that helps in ensuring business continuity in the event of a calamity.
• It helps in identifying the potential risk factors and the kind of hazards that the business is vulnerable to.
• The next step is for the business to identify critical operations that must not be affected as a result of a catastrophe.
• Once these operations are identified, it is imperative to keep them running in the event of a hazard, and minimize the impact.
• The last step focuses on recovering quickly and demonstrating this ability to mitigate a disaster to clients and partners.
• This framework ensures that the business isn’t negatively impacted by any calamity.

BS EN ISO 22301:2014 is another business continuity planning standard, released by the British Standards Institution (BSI) and endorsed by British organizations.

Sudden calamities cannot be predicted, but that doesn’t mean that they can’t be planned for when running a business. It is vital to account for unforeseen setbacks and have a plan in place.

Selling MSP Business Continuity Plans for Increased Profits

Why Do Businesses Partner with an MSP?

Many companies turn to managed service providers to oversee their IT departments, instead of hiring an in-house team. MSPs can be effective in reducing costs and administrative overheads for small or medium-sized businesses that lack the resources to hire their own team. By acting as a complete IT solution or working side by side with an in-house team, MSPs can ensure that a robust solution is in place.

Further reading Top 5 SMB Pain Points Solved by MSPs

Businesses Often Enlist MSP Aid After an Event

In many cases, businesses reach out to MSPs for help after a disruptive event has already occurred. However, an extremely disruptive attack can be a wake-up call for business managers that more proactive security measures are necessary.

By spotlighting possible points of failure that may not be obvious to company stakeholders, MSPs can point out areas that need improvement and potentially increase their client involvement.

How Can MSPs Increase Business Partnership Benefits?

Traditionally, MSPs may provide data-protective services such as backup, antivirus solutions, and monitoring. However, there are many other services that MSPs can provide to safeguard their clients’ continued business operations.

In the age of ransomware and other destructive threats, data backup, business continuity planning, and employee education are some of the most effective tools in the fight to prevent data loss and to protect business operations

MSPs can offer these and other services to SMB clients to ensure security, compliance, and continuity.

Further reading How to be Protected Against Ransomware

Why SMBs Need a Business Continuity Plan

A business continuity plan should provide a clear course of action in the event of an intrusion, infection, failure, or even environmental disasters, such as earthquakes, tornadoes, and floods.

A well-written BCP can:

• Identify threats
• Prioritize critical business operations
• Identify critical team members
• Develop an effective response roadmap
• Reduce downtime
• Ensure continued business operations
• Each of the above-mentioned points can be used while sales pitching to your prospects, and upselling existing clients.

What Services Can MSPs Offer?

MSPs can increase their involvement with clients by offering other, equally critical, security and safety services, such as:

• Risk assessment to identify long- and short-term threats to company operations
• Business impact analysis
• Training programs for employees
• Educational resources
• Equipment inventory to ensure resources are available in the event of a disaster
• Contact information for emergency response personnel, including responsibilities
• A disaster recovery plan

To ensure continued business operations, other resources are also necessary, such as an incident response plan that includes a list of actions and an identified response team. For resources such as an incident response plan to be effective, all business employees must be made aware of it.

These resources and services can identify threats, list appropriate actions, and reduce response time should a disruptive event occur.

To Sell or Not to Sell?

Although it may be necessary to encourage business clients to develop a strong, effective business continuity plan, many SMBs turn to managed service providers because they need more than just IT support. They also need recommendations and direction that can safeguard their business and protect their operations.

Along with the other resources listed, an effective BCP can help to protect a managed service provider’s clients by predicting potential emergencies and preventing business disruption.

By upselling those services, MSPs can do more than just increase their own revenue. They can also increase the safety and security of their clients by helping to ensure their data security and business continuity.