One of the most important elements of a business impact analysis (BIA) or other business continuity planning exercises is identifying each function’s critical records. The survival of your business may depend on the availability of critical records. Without them, there may be no recovery in the event of a disaster.
Which are your critical records and where are they stored? How long can you live without them? And what’s your backup plan if they’re not available?
Critical Records Management
Most business continuity planning clients I talk to state their critical records are readily available in digital form on the network. But if the network isn’t available due to a disaster, those critical records won’t be available either.
In the case of electronic records that are hosted in a document management system or another repository (e.g., SharePoint), hopefully, that repository is properly backed up and the backups are accessible even if the network is down. But has anybody checked those backups lately? You need to periodically verify the backups are what you expect them to be and accessible should a disaster occur.
Critical records can fall within a very broad spectrum, from network recovery procedures to a contact list of key clients/stakeholders. If your critical records aren’t available, the impacts may vary from not being able to notify key stakeholders, to not having the procedures to correctly and securely recover your network, to not having your key references. The list goes on.
Even with experience, it can be very challenging to identify critical records, especially given the volume of data organizations must deal with. Take a non-IT, “non-critical” function like sales and marketing. What’s the impact if you can’t recover your marketing strategy? What about the customer list stored in your CRM system? How long can you continue operations if your sales function is partially or completely offline pending recovery of critical systems that allow you access to critical records?
If you haven’t done adequate analysis around identification and availability of your critical records, then you’re flying blind. That’s a potential crisis on top of the crisis you’re trying to recover from because you don’t know what you’ve set yourself up for.
Planning for recovery of critical records in a disaster isn’t particularly sexy or high-tech. But if you fail to plan effectively, you might create a gaping hole in your recovery capability. As with everything recovery-related, what you don’t know is what’s really going to hurt you.
To start a conversation on how best to identify your critical records and ensure they’re at your fingertips when you need them, contact Pivot Point Security.
For more information:
- Guidance on identifying and protecting critical records for federal agencies from the US Dept. of Energy
- The State of California’s Vital Records Protection and Disaster Recovery Handbook
- For common-sense guidance on storing and accessing paper records as well as digital records for business continuity: 7 Elements of an Effective Records Management Program
- Cautionary tales on ensuring post-disaster access to offsite paper records
- An oldie-but-goodie: The National Archives and Records Administration’s Vital Records and Records Disaster Mitigation and Recovery