How To Draft Your Business Continuity & Disaster Recovery Plans In The Digital Age

It is a truth that holds itself evident that this pandemic qualifies as a disaster. Largely because commerce engagement has stopped, and...


How To Draft Your Business Continuity & Disaster Recovery Plans In The Digital Age

It is a truth that holds itself evident that this pandemic qualifies as a disaster. Largely because commerce engagement has stopped, and this is in fact, affecting the people involved; both key stakeholders and personnel. If there was a time to dust off your Business Continuity Plan (BCP), now would be the time.

In a CIO East Africa webinar titled Business Continuity And Disaster Recovery In The Digital Age, Muchemi Wambugu, Founder and MD, Sirius Consulting, invokes Will Kenton who described it as “the process involved in creating a system of prevention and recovery from potential threats to a company.” Kenton then continues, “The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster. The BCP is generally conceived in advance and involves input from key stakeholders and personnel.”

Muchemi highlights eight things to consider when working on a BCP:

  • what critical applications will stop the organisation from functioning if not used and who are the critical people?
  • do you have a Chief Risk Officer (CRO) who can work through mitigation planning and figure out what to do if people can’t move the way they normally do?
  • can you figure out who the responsible people are such as the CRO, and who gets to execute under red, blue and green teams?
  • do you have a communications strategy to manage people in a way that protects the brand?
  • does there exist an emergency contact list to help you stay in touch with your team through work, personal and private numbers?
  • do you have WAR sites through a virtual environment?
  • where is the data and is it backed up off-site, on-site and who has authority?
  • are your third party business suppliers and you a perfect match in terms of resources that are not curated by you?

Before executing your plan, however, you need to:


  • have a current BCP and Disaster Recovery Plan (DRP) – where current means reviewed every quarter,
  • test your business, people and process risks to set up mitigation plans,
  • test your WorkAreaRecovery (WAR) scenarios,
  • test you call tree for mission-critical staff,
  • test (internal and external) communications by doing live scripts that you need to have reviewed for a tone of empathy,
  • test your DRP activation in the process reviewing contracts and relationships,
  • test your third party stakeholders and figure out if you, and them, are essential services,
  • review the process and document lessons learned and updated to make it seamless.

Your BCP will also be related to:

ERP – Emergency Response Plan: provides measures that need to be undertaken in the initial stages of an emergency incident to ensure that the incident is put out before it escalates to levels which threaten the business’s ability to provide service to its customers and shareholders. It operates at the Board level. It should also be customised to include emergencies such as floods, fires and explosions.

CMP – Crisis Management Plan: provides an organised communication protocols/procedures and ways of dealing with a crisis and is not contained in the ERP. This is overseen by management a C-Level.


BCP – Business Continuity Plans: provides for the measures that need to be taken to resume critical business operations/processes in the event of a major disaster operated at C-Level with the hand of Operations.

DRP – Disaster Recovery Plan: provides directions to which technology continuity aspects of the business in event of a crisis, and handled by both Operations and the ICT department.

Muchemi also raises solid pointers. “This (the BCP), is a business document. The CEO takes ownership and the CRO executes. It helps you identify the resources that are missing in your business. It asks of you whether you understand your brand and your business and if you know what they represent. And, communicate, communicate, communicate. Talk with your employees to accurately share the facts.” He adds, most importantly, to “Stay calm. You have a plan.”

William Makatiani, CEO, Serianu, chimes in. A recovery plan needs to be locally based as is cloud. We are noticing more local cloud-based solutions.” Incidences such as Covid-19 could, under insurance, fall under force majeure, which means your plans fail and you lose your services and in modern times, you have to manage teleworkers. How ready are you for these kinds of scenarios?


When it comes to third party suppliers, William is very clear. You need to be sure that you and your suppliers are on the same level in terms of disaster preparedness. One of the ways o find this out would be to run a test, gauging their preparedness. “We have noticed when it comes to RDP, there were 300 before COVID-19. Now there are  5,100 servers, it means most organisations had not planned, therefore they did not have VPN connections leaving them vulnerable to attacks.” Thank your lucky stars, he says, that this pandemic has happened during the times of 4IR, else decision-making would have been a very different affair.

One thing he would like to emphasise is this. “You cannot copy-pasts a BCP from another company. A BCP is really about people.” In times of VUCA if you do not keep up, you can find that some of the people who you are banking on to execute have since left the firm, changed positions or even God forbid, have since passed.

In case you are asking yourself if like 34.5 per cent of all enterprises, you are an SME with a limited budget, whether you need a BCP the answer is very much so. You would need to communicate, again with that word, with your partners and build your brand – that word, too, again, – in the marketplace. The team will need to be trained and you will have to communicate. William says you need to ask yourself:

  • what do we do as a business?
  • what apps do we need to achieve our mission?
  • who do we need and how critical are they?
  • who are the suppliers we need to work with?
  • what can stop us from making money?

Should the worst have happened and you have been caught flat-footed, draw inspiration from one of two things.

  1. Treat the opportunity as a crisis and handle the disaster as you would with crisis management. Then monitor your reaction, take note and dust it out when the next crisis comes because as sure as the sun rises there will be another crisis;
  2. When kanjo chase hawkers off the streets, they always know exactly where to run to and hide both themselves and their wares until the storm blows over. That is BCP.

The next webinar will be on the 21st of April 2020 at 3.00 pm. It will be on Leadership In The Digital Age. It features Prof Louis Fourie, the immediate former Deputy VC, Knowledge & Information Technology Services. Everyone is welcome. Register Here.


Do you have a story that you think would interest our readers? write to us