Small businesses are often more at risk from IT system failures as they are completely reliant on them being operational. With limited resources to call upon, disruption to those automated operations can cause major impact on the ability for small businesses to serve customers, pay suppliers, meet compliance obligations and stay in business.
As a small business owners you will have embraced technology. This brings rewards as well as risks.
So how do you effectively manage those risks?
I won’t be discussing data security in this article. Breach detection and prevention will be a future topic.
This is about continuity planning. How to work out the steps and put it in place to minimise the impact of IT system failures in your business.
Rather than looking at causes of failure, we’re going to apply two measures to each of your business data sets. For instance, emails are a data set, accounting data is a data set, files on the same server or cloud service is a data set, orders (if they’re not part of accounting) is a data set, job bookings is a data set and so on.
We apply two measures to each data set:
~ How long can your business go without access to its data, how long the system can be down before it has an impact (availability).
~ How up to date the data needs to be, how much data you can afford to lose when the system is available again – you will have to try and recreate the data if it’s key before it causes an impact (integrity).
From these two measures we get the wonderful IT measures of:
1.Recovery Time Objective (RTO)
2.Recovery Point Objective (RPO)
Note that this is nothing to do with IT. It’s entirely focused on the operational needs of your business so it needs to be carried out by a manager. As its ultimately financial risk, it should be carried out by the business owner.
RTO & RPO should be reviewed at least annually. We review every quarter. Small businesses don’t have that many data sets so it doesn’t take long and you don’t want to wait until you’ve had a failure to find out either the RTO or RPO have changed and you’re now in a bad position.
So let’s take the most common data set, email.
1. RTO – How long can your business be without email? Most clients say they can’t be without email for more than a couple of hours. It’s the main method of communication with clients and service levels drop significantly when emails aren’t responded to promptly.
So we set the RTO at 120 minutes.
2. RPO – How much data can you lose when the system comes back online? This depends entirely on where email fits in the businesses operations. For instance, if the email system fails at 2pm can you afford to lose emails sent and received since midday, since 9am, since midnight? That’s entirely dependent on your business but its key that you make an informed assessment.
Let’s say we can lose the last 4 hours of emails as we don’t get that many transactional emails through.
So let’s set the RTO at 4 hours.
Now let’s consider a job booking system for an alarm company as an example.
1.RTO – Not that important as staff could go back to manual records while the system is down. Bookings, alterations, cancellations, payments and spares needed for instance could be recorded on prepared forms and be entered into the system when recovered. It would be a pain but it’s doable without too much disruption for a day.
So let’s set RTO at 24 hours.
2. RPO – This is where it gets difficult. Only one record of jobs and alterations are kept – in the system. No manual records are kept so existing booking, payments, spares needed would be lost without the ability to recreate the records. In this instance RPO is the risk area. Any loss of data would be seriously disruptive, have a major impact on customer service and income.
Setting RPO on this is dependent on how busy the team is and how many jobs you can afford to have major disruption on. An existing customer set this as close to zero as possible.
Let’s set the RPO to 1 hour
This highlights a key point.
Almost all small businesses think about the RTO – how long can we be without a system.
However, in my experience of doing this exercise with business owners, the RPO is way more important and highlighting this brings risk into sharp focus as in the example of the alarm company.
Once you’ve done this exercise on your data sets it’s over to IT to deliver what’s required.
With modern solutions it’s possible to get RPO’s of close to zero.
If we can help you with any of this or design a Business Continuity solution to deliver the RTO’s and RPO’s that your business needs, please get in touch.