According to the ESG Research Review Data Protection Survey from Enterprise Strategy Group, 53% of organizations can tolerate less than an hour of downtime before experiencing significant revenue loss or other adverse business impact. Of those that experience a significant business interruption, 30 percent never recover.
This is especially alarming data for associations and nonprofits. Too often within these industries, business continuity planning gets put on the backburner to deal with more immediate needs. However, when disaster strikes, there is no more salient question than:
“Can our organization survive this?”
For more than two decades, Optimal has helped our association and nonprofit clients navigate the path to answering that question in the affirmative. Our recommendations are below.
Step 1: Determine the levels of disaster scenarios to consider testing
The five levels of disaster are as follows. As you work through them, consider which of these questions you can answer with confidence, and which give you pause.
- An important file is lost. Can you restore it in a timely and effective fashion?
- Your organization’s server fails. Can it be virtualized? Replaced?
- There is a biohazard that has made the office inaccessible. Can all employees work remotely?
- Your office burns down. Can you function?
- The worst of all possible disasters: The entire city where your office is located is struck by disaster. Are you out of business?
Review each department within your organization separately. Ask how long it can afford to be “out of business” and what resources it would need to get up and running. Create your overall plan to take into consideration the specific risk factors for each department.
Step 2: Plan to test the scenarios
Industry standards suggest that you test your plan for a failed server situation twice a year and for a Level 4 disaster scenario (your office burns down) once a year. Note that as the severity of the simulated disaster situation increases, the more downtime the test will require. Of course, when you have a quicker way to recover from a disaster (backup systems in place, server virtualization methods, etc.), the less downtime a simulated disaster will require.
Consider direct costs and the cost of downtime before you decide which testing level is best for your association. After this evaluation, if you find that the cost of testing (dollars and downtime) is an issue, consider testing only the most common disaster scenarios: server failure and file loss.
Step 3: Test your scenarios
Once you have a detailed disaster recovery plan in place, you want to make sure it is effective when the time for tests has come and gone. Here's how to go about it:
1) With the help of external consultants and/or your internal IT team, plan the disaster recovery test with the full knowledge (and acceptance) that it will require downtime. Then, comprehensively communicate this to all employees, clients, and members.
2) Ensure that you have an executive-level user involved in the testing scenario so that you have someone on the “front lines” who can evaluate the test from a business continuity perspective. An Executive Director or Membership Director would be good picks.
3) As you are conducting the test, keep a detailed log of everything that does not go as planned (as well as the solutions that worked well). This way, the test will inform the plan’s revisions.
4) When your test is complete, review your log and incorporate any suggestions to modify your plan (and, if necessary, your technology) so you are ready for the next test.
With multiple surveys reporting that cost-per-minute of downtime can range from $15,000 to $30,000, the cost of a disaster scenario for which you are not prepared can quickly add up. And that is without factoring in the costs of a diminished organizational reputation and decreased membership confidence.
When designing and testing a disaster recovery plan for your association, be specific and be comprehensive. It could be what keeps you in business following the unthinkable.