While events may have a habit of confounding the best-laid plans, the consequences of not having a plan in the first place are usually worse. Most of today’s business leaders have formulated some idea of what they would do in the event of a disaster, but how many of them have a detailed understanding of what could constitute a disaster? Unfortunately, the answer seems to be precious few.

Preparations for mitigating a disaster can be complex and varied, but it need not be an insurmountable task. There are a range of in-house business continuity provisions, as well as third-party and outsourced services that can ease the burden and strengthen operational resilience. Here are some of the questions we are often asked by clients looking to mitigate threats to their business.

What should a good business continuity plan seek to achieve?

There are two key elements to a business continuity plan. First, it should pinpoint exactly what a company can do to protect itself. Second, it should identify what third-party support is needed to maintain essential operations.

What should such a plan aim to protect against?

Most businesses face a number of potential risks, such as a prolonged power outage or major incident at the main site, which could require contingency plans for keeping staff and customers informed. More mundane tasks must also be considered, such as ensuring that if a server fails, the data is secure and protected. Other risks include suppliers facing financial difficulties.

The often-overlooked key to a good business continuity plan is ensuring that it is regularly tested. This is an ideal way of finding out how the plan works in practice and whether there are any practical issues that prevent it operating smoothly. However, it can be costly and often the likelihood of a disaster can be seen as low. That said, the potential impact of a disaster could be extremely significant to the business, so the threat should not be treated lightly.

What can business leaders do to safeguard their critical operations?

Whatever method a business chooses to protect itself, whether through the harnessing of in-house skills or third-party service providers, one key requirement is that data is backed up.

Where that backup set of data is stored is also critical – ­ there is little point storing it next to the original source, so provisions must be made to store it elsewhere. Data protection standards will also apply to that set of backup data.

What differentiates disaster recovery service providers?

The key is to make sure that the service fits with the business and covers all the potential risks to operations. Ideally, the service provider will have the appropriate infrastructure, which might well include uninterruptible power supplies, industry-recognised fire suppression systems and precision air conditioning. The Uptime Institute’s datacentre classification system can provide a useful mechanism for ensuring the standard of facility meets business requirements.

Business leaders should also stipulate the level of disaster recovery service that will be required in the contract. This will help ensure that when trouble strikes, the business can access the support it needs. In some cases it will be appropriate to require the service provider to be certified for quality.

Service providers should also be able to demonstrate that they have proper security arrangements in place. These should include physical security mechanisms such as surveillance cameras and biometric systems, as well as IT-based defences such as passwords and firewalls.

Does IT outsourcing present an additional business continuity risk?

Any business leader going down the outsourcing route has to be prepared to give up a degree of control over the processes in question, even though they remain ultimately accountable for their smooth operation.

In many situations, a well-managed outsourcing setup can be an advantage to the business. For example, most third-party IT services providers can provide secure remote backup facilities.

Managing the risks associated with outsourcing need not be particularly onerous. One of the keys is ensuring the outsourcing arrangement is not overly complicated, and allows for providers to be switched if necessary. A robust business continuity process should also be embedded in the contractual framework from the outset. Any agreement should include a copy of the provider’s business continuity plan, and set out how the provider intends to update, test and maintain the plan. Business leaders should also insist on a provision that allows them to observe the test and audit the results.

When entering into an outsourcing contract it is vital to consider whether the provider has the right to sub-contract any of its obligations, and if so, the extent to which the business continuity plan covers sub-contractors. If key services are being sub-contracted, business leaders may want to see the sub-contractor’s business continuity plan and secure the right to inspect their arrangements and monitor testing.