15 November, 2023
As the risk of disruptions to business operations mounts in the face of severe weather, cybersecurity breaches, global pandemics, terrorism, and even war, many organizations have found themselves struggling to protect themselves from evolving threats.
Unfortunately, it is often not until businesses find themselves at immediate risk that they take action to prepare for the worst. As natural and human-made disasters continue to rise in both volume and severity, a proactive, formalized, and well-practiced approach to business continuity and disaster recovery has become even more critical.
At Empyrean, we’ve seen first-hand how crucial thoughtfully designed disaster recovery and business continuity programs are for corporate resiliency. Our headquarters is located in Houston, Texas, which has a climate prone to extreme weather events. Over the last few years, the Houston area has experienced severe natural disasters that have included hurricanes, flooding, extreme heat, power outages, and even freeze events.
But even through these states of emergency, we have had little to no disruption to our regular business operations. The redundancies, controls, technologies, and training we have provided to our teams have made us well-positioned to weather any type of storm – be it a hurricane, power crisis, or even a global pandemic.
Corporate Resiliency at Empyrean
Empyrean’s resiliency program is a framework of policies, procedures, and controls that are designed to protect our organization from a large range of threats, including those of natural, technological, biological, adversarial, incidental, or human-caused origin.
Our commitment to corporate resiliency is a year-round, ongoing effort that allows us to comprehensively avoid or reduce the impact of these potential threats by predicting, preparing for, and practicing our response to crises.
Our standards and guidelines apply not only to Empyrean team members, but to contractors, sub-contractors, and their respective facilities supporting Empyrean business operations, wherever Empyrean data is stored or processed, including any third-party contracted by Empyrean to handle, process, transmit, store, or dispose of Empyrean data.
The strict framework we follow maintains Empyrean’s compliance with our SOC1, SOC2, and ISO 27001 requirements, and helps to ensure the integrity and availability of our critical systems. This type of protection and oversight is essential for maintaining the trust of our stakeholders, partners, and (most importantly) our clients and their employees.
Here are some of the key features of our own resiliency framework, which includes best practice standards that are key pillars for any business continuity and disaster recovery roadmap.
Business Impact Analysis (BIA)
A business impact analysis (BIA) predicts the consequences of a disruption to your business and gathers information needed to develop recovery strategies. Through this systematic process, organizations can evaluate the potential effects of an interruption to critical business operations resulting from a disaster or other emergency and explore vulnerabilities and potential threats.
Our business impact analysis (BIA) is the core of our resiliency program and contains the key information and data we use to make decisions that pertain to our continuity, response, and recovery. Through this annual detailed analysis, we take action to guard against any identified vulnerabilities and develop plans to reduce any risks tied to the potential threat. Our BIAs also allow us to proactively prioritize all critical function areas based on their potential impact and likelihood of occurrence and implement or identify existing controls to mitigate downtime.
Some of the plans that we’ve built through our BIA include our Business Continuity, Disaster Recovery, Application Recovery, Technical Recovery, and Crisis Management Plans.
Training & Plan Execution
A plan is only as good as a team member’s ability to understand their role and respond in the event of a crisis. Our standard operating procedures (SOPs) provide detailed, step-by-step guidance to execute our response plans in a detailed, systematic, and effective manner.
Responding to a disaster or emergency event requires the involvement of multiple stakeholders and careful coordination to ensure the confidentiality, integrity, and availability of sensitive company information. We carefully train our teams responsible for implementing controls, providing clear instructions, guidance, and training materials to ensure each team member understands how to execute a response plan should the need arise.
To do this, our SOPs include clearly defined roles, responsibilities, and redundancies. In addition to weekly meetings of our Resiliency and Crisis Management Teams, we conduct regular drills and practice exercises on an ongoing basis.
We also conduct an annual resiliency program review to assess the current state of our BIA and associated plans to ensure we consistently re-evaluate potential issues that could threaten Empyrean’s ongoing operations while addressing gaps and lessons learned from our ongoing exercises and/or actual real-life events.
Resiliency training is offered both as part of our annual compliance training and our ongoing quarterly response simulations. Through these training events, our team practices executing our SOPs, using our Mass / Emergency Notification System (M/ENS), and utilizing other tools incorporated into our disaster response programs. These drills also give us the opportunity to monitor controls to ensure they are functioning as intended.
Through this training, we provide our employees with valuable experience to ensure that any real-life events can be executed thoughtfully and in accordance with our resiliency planning. These exercises also help identify and evaluate potential gaps in our plans so that we can take the necessary steps to begin resolving and mitigating additional risks.
Internal Auditing & Corrective and Preventative Actions
In addition to our practical training programs, we also maintain strict processes for identifying and addressing nonconformities and areas for improvement identified through internal audits, management reviews, and other monitoring activities. These practices ensure that nonconformities are quickly corrected and that preventive actions are taken to prevent their recurrence.
These internal audits include the quarterly assessment of any changes to our business environment, shifts in tools and technologies used throughout the business, changes to regulations and standards, incidents and near-misses, and feedback from our key stakeholders.
If any nonconformities are identified through our team’s audits, we conduct a root cause analysis to identify the underlying cause(s), take swift correct actions based on our findings, put preventative actions in place to ensure the issue does not arise again, and then conduct careful monitoring to verify the effectiveness of measures taken.
Third-Party Auditing and Reviews
While we conduct internal audits on an ongoing basis, we also rely on annual third-party audits to review the overall effectiveness of our processes and related controls. Through these ongoing reviews, our third-party partners can identify potential areas for improvement and ensure that Empyrean remains compliant with or exceeds all required standards.
We also participate in annual third-party audits to maintain compliance with our SOC1/SOC2 and ISO 27001 certifications. Our annual SOC1/SOC2 audits and ISO 27001 surveillance review include an extensive examination of functions across a wide range of criteria to identify any gaps or non-conformance.
Empyrean also undergoes an intensive IS 270001 recertification audit every three years.
Continuous Improvement
Threats evolve at a rapid pace, so we maintain a process of continuous improvement to ensure all of our business continuity and disaster recovery programs remain effective and aligned with our strategic goals.
To do this, we maintain a strict schedule that includes:
- Identifying opportunities for improvement that may include changes in the organization’s context, new or updated regulatory requirements, or changes in technology.
- Evaluating (and re-evaluating) best practice standards, includingexternal benchmarking, industry standards, or guidance from professional associations.
- Adopting new technologies in alignment with industry standards and our resiliency posture.
- Implementing changes to procedures, tools, and ownership, including updating SOPs, controls, and any policies as needed.
- Ongoing internal and external monitoring of the effectiveness of changes made as part of Empyrean’s continuous improvement process.
A strong corporate resiliency posture is critical in today’s business environment. While it may feel daunting to shift to a proactive approach, a thoughtful and well-tested business continuity and disaster recovery program will provide your organization’s stakeholders with the peace of mind and protection necessary to be successful.
Trust us, we’ve seen it firsthand.
We’re not Just Surviving, We’re Thriving.
ABOUT RICK MILLER
Rick Miller is Empyrean’s Vice President, Information Technology and has been with Empyrean since 2010. Rick has overseen Empyrean infrastructure, security practice, and business continuity and disaster growth since joining the company. Rick continues to lead the organization’s security, BCP/DR, audit, and procurement practices.