June 09, 2021
Business Continuity: Disaster Recovery & Mitigation
CYBERSECURITY, FRAUD, & THE PEO OPERATION
Not long ago, disaster-related events were pretty much synonymous with severe weather and geographic power/network failures caused by a misguided backhoe. In the last 12 months, however, we’ve experienced first-hand the chaos a pandemic and cybercriminals can wreak on our operational capabilities, quickly changing the way we think about the resiliency of our mission-critical systems. Surviving a large-scale service interruption is no longer something we can just worry about late at night, hoping it will never happen. Investing our time and resources to plan for an eventual disaster is something we are obligated to do.
The average cost of an IT system outage is dependent on several factors—some relevant to typical PEO operations, some not so much. The financial impacts vary when you consider your revenue streams, the duration of the outage, the number of customers impacted, and even the time of day. According to various studies, the average cost of system downtime ranges from a few thousand dollars per hour to a few thousand dollars per minute, depending on the type of business, the type of outage, and/or the impacted system(s). In the PEO industry, the estimate is probably closer to a few thousand dollars per hour, but to our hard-working employees and clients who rely on us for their paychecks, family health benefits, etc., any interruption will be traumatic, leading to a loss of confidence and eventually the loss of clients.
DISASTER RECOVERY PLANNING
There are different schools of thought about where to begin disaster recovery (DR) planning, but most schools agree you should start with a business impact analysis (BIA). Going through the BIA process will help everyone get their heads wrapped around the breadth and depth of the critical systems that must be addressed. Most PEOs likely do not have a skilled DR/business continuity (BC) expert on staff to guide them through the process, but even if you do, consider engaging a partner who specializes in DR consulting. The consultant should have a repeatable process and common-sense approach to take you through the steps from start to finish and make recommendations based on objective data and facts, not subjective fear and conjecture, which will help keep you grounded in reality and focused on the objective. Before you decide to engage a DR consulting firm or take the planning on yourself, you must have executive sponsorship out of the gate. Once you start seeing the data, you’ll realize that to protect your clients and your business, material financial investments will be needed. It’s also important to set the expectation that DR planning is not solely the responsibility of IT or just another IT project, but rather, is an enterprise initiative and requires high levels of engagement from subject matter experts and stakeholders across the business.
One of the key inputs needed to complete your DR plan is an asset inventory. You can expect the planning team to reference it countless times as it goes through the process. In addition to your physical systems, the inventory should include critical software applications, databases, and Software as a Service (SaaS) providers. You can use the inventory to centrally locate and maintain crucial information about your maintenance contract terms, key support contact information, and service level agreements. There are several asset inventory tools available on the market, but if you don’t have a tool, you can start by just building one in a spreadsheet.
With an asset inventory in hand and the findings from your BIA, your organization will be able to define the recovery time objectives (RTOs) and the recovery point objectives (RPOs) for your critical systems and data. The RTO is the amount of time and a service level within which systems must be restored to avoid a negative impact to your business, while the RPO establishes the maximum acceptable amount of data (measured in time) that can be lost after a disaster or failure occurs. Defining these two objectives is absolutely necessary for IT to determine the frequency of data back-ups, when and where systems need to be redundant, and measures needed to secure your sensitive data. Understanding your RTO and RPO will help ensure you do not over- or under-architect your DR solutions, keeping your investments congruent with your level of acceptable risk.
TESTING THE PLAN
Testing your DR plan—through table-top (meetings to discuss a simulated emergency situation) or fail-over exercises (a system ready to run your mission-critical programs when a disaster occurs)—will provide many benefits that will help refine your plan while training those involved in the recovery effort. This will help minimize the chaos inherit during a real event. When planning to implement a new system, be sure to include its DR needs during the planning phase to make sure it’s covered and the costs can be included; it can be expensive and time-consuming to go back and address after the system is in use.
Finally, most PEOs rely on multiple third-party providers for their core business systems. In the words of our 40th president, “Trust but verify.” Review provider system and organization controls (SOC) audit reports to make sure they are being followed and any exceptions are addressed by management and remediated. Make sure you understand what measures and investments they’re making to their infrastructure to protect your data and operations and how well they are managing their third-party service providers who play a role in ensuring the availability of your systems and the protection of your and your clients’ data.
Chief Information Officer
Read in NAPEO's PEO Insider June/July 2021 issue on page 34.