Every business and organization can experience a serious incident which can prevent it from continuing normal operations. This can happen any day at any time. The potential causes are many and varied: flood, explosion, computer malfunction, accident, grievous act… the list is endless. Business continuity planning and disaster recovery planning are fundamental to the well being of an organization. Clearly, they are intended to ensure continuity in the face of such unforeseen or difficult circumstances.
Business continuity is the activity performed by an organization to ensure that critical business functions will be available to customers, suppliers, regulators, and other entities that must have access to those functions. These activities include many daily chores such as project management, system backups, change control, and help desk. Business Continuity is not something implemented at the time of a disaster; Business Continuity refers to those activities performed daily to maintain service, consistency, and recoverability.
The term Business Continuity describes a mentality or methodology of conducting day-to-day business, whereas Business Continuity Planning is an activity of determining what that methodology should be. Disaster recovery is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster. Disaster recovery is a subset of business continuity.
While business continuity involves planning for keeping all aspects of a business functioning in the midst of disruptive events, disaster recovery focuses on the IT or technology systems that support business functions. What is the difference between disaster recovery and business continuity planning? Disaster recovery is the process by which you resume business after a disruptive event. The event might be something huge – like an earthquake or the terrorist attacks on the World Trade Centre – or something small, like malfunctioning software caused by a computer virus.
Given the human tendency to look on the bright side, many business executives are prone to ignoring “disaster recovery” because disaster seems an unlikely event. “Business continuity planning” suggests a more comprehensive approach to making sure you can keep making money, not only after a natural calamity but also in the event of smaller disruptions including illness or departure of key staffers, supply chain partner problems or other challenges that businesses face from time to time. Despite these distinctions, the two terms are often married under the acronym BC/DR because of their many common considerations.
The Need for Business Continuity/Disaster Recovery Planning and Management In the aftermath of recent natural disasters, terrorism, and equipment breakdown, businesses have recognized more than ever the need for an organization to be prepared. Companies are striving to meet the demand for continuous service. With the growth of e-commerce and other factors driving system availability expectations toward 24×365, the average organization’s requirement for recovery time from a major system outage now ranges between two and 24 hours.
This requirement is pushed by the expectations an organization faces on all sides: •Customers expect supplies and services to continue – or resume rapidly – in all situations. •Shareholders expect management control to remain operational through any crisis. •Employees expect both their lives and livelihoods to be protected. •Suppliers expect their revenue streams to continue. •Regulatory agencies expect their requirements to be met, regardless of circumstances. •Insurance companies expect due care to be exercised.
The Phases of Business Continuity and Disaster Recovery Planning, Implementation, and Management The significance of each major phase of continuity planning merits attention because each phase contributes to building all four areas of business continuity: disaster recovery, business recovery, business resumption, and contingency planning: •Phase 1 – Establish the foundation. These alignment and analysis steps are necessary to obtain executive sponsorship and the commitment of resources from all stakeholders.
Without a basis of business impact analysis and risk assessment, the plan cannot succeed and may not even be developed. •Phase 2 – Develop, test and implement the plan. Here, attention to detail and active participation by all stakeholders ensure the development of a plan worth implementing. The plan itself must include the recovery strategy with all of its detailed components and the test plan. •Phase 3 – Maintain the plan. The best plan is only as effective as it is current. Every tactic of business resumption and recovery must be kept up to date and tested regularly. Types of Plans
The separate plans that make up a business continuity plan include: •Disaster recovery plan – to recover mission-critical technology and applications at an alternate site. •Business resumption plan – to continue mission-critical functions at the production site through work-arounds until the application is restored. •Business recovery plan – recover mission-critical business processes at an alternate site (sometimes called “workspace recovery”). •Contingency plan – to manage an external event that has far-reaching impact on the business. Typical Contents of a BC/DR Plan
The details of a BC/DR plan can vary greatly, depending on the size and scope of a company and the way it does business. For some businesses, issues such as supply chain logistics are most crucial and are the focus on the plan. For others, information technology may play a more pivotal role, and the BC/DR plan may have more of a focus on systems recovery. The typical BC/DR plan would however include the following general contents: 1. Introduction – contains general information about the plan itself, including the design of the plan, its scope, overview, purpose, assumptions, etc. . Appointment of the BC/DR management team, which is responsible for overseeing all aspects of the BC/DR plan, including the initiation of such a plan in the event of a disaster. It emphasizes the function of each member of the team and their preparation responsibilities. It would also list their contact information. 3. Steps in the detection and determination of events which could result in disaster together with the required response steps on the occurrence of such events. 4.
A disaster recovery strategy specifically pertaining to major disasters such as those affecting the main data centre. This section is typically broken down into three phases: the emergency phase, the (data) back-up phase, and the recovery phase. 5. Alternative operation locations 6. Back-up sites – should be equipped with critical equipment, data files and supplies, e. g. power generators, computers and software, networking capabilities, etc. 7. Employee, customer and key stakeholder preparation in the event of a disaster 8.
Post-disaster recovery procedures 9. Contact information – Do you have current and multiple contact information for employees, key customers, important vendors, suppliers or business partners, insurance companies, etc.? Benefits and Risks Benefits There is a multiplicity of benefits in planning for Business Continuity within your organization. Not only will your data, hardware, software, etc. , be better protected, but the people that compose your organization will be better safeguarded should a disaster occur.
In addition, employees will be informed and rehearsed as to what actions to take to immediately start the recovery process and ensure business continuity if disaster strikes. Without this type of preparation any unexpected event can severely disrupt the operation, continuity, and effectiveness of your business. Disabling events can come in all shapes and varieties, and for smaller companies, the impact of even lesser disasters can hit much harder, e. g. the unexpected non-availability of key workers, especially if it occurs during the height of the company’s busy season.
Thus, putting business continuity plans into practice in your organization now can prepare your business for almost any potential disaster, help ensure that you will be able to maintain continuity of your business practices, and reduce or even possibly remove the effect such calamities could have on your organization. In addition to the above mentioned benefits, the following are also advantages of business continuity planning: •If not already, your organization my soon be required to incorporate some type of Business Continuity Management planning into its policies by either corporate governance or governmental legislation. With an effective and practiced Business Continuity plan, your insurance company may well view you more favourably should some sort of disaster ever require you to call upon their services.
•Frequently the greatest and most immediate value of the Business Continuity planning process is the awareness one gains of the details of his/her business and not necessarily the streamlining of how to handle disaster as an organization. Business Continuity planning can often create awareness of useful ways to improve an organization, sometimes even in areas that had previously gone unconsidered. Business Continuity planning will make your organization more robust. It can strengthen your organization not only against large-scale problems it can also help make smaller problems that might have caused continuity interruptions to become moot, through detailed planning. •Business Continuity plan will show your investors that you take business seriously, that you are prepared and desire to maintain productivity regardless of difficulty. This preparation will also show your staff that you have their employment and personal well-being in mind.
It will show that you care. •Informing your customers that you have a Business Continuity plan, that you have taken steps to ensure continuity of your productivity so that you can keep your commitments to them, lets them know that you consider the provision of quality service a high priority which in turns instils their confidence in your business. •Business Continuity plan helps protect your organization’s image, brand, and reputation. Being known as a reliable company is always good for business. And finally, a Business continuity plan can significantly reduce your loses if ever you are hit by disaster. Risks i)Over-Reliance on Support – Consultants, Recovery Services, and Software While all industry-leading business continuity service vendors use time-tested, analytical tools, they also allow customization, and for good reason.
As the company’s staff interacts with consultants, outlines recovery strategies at secure sites, and completes structured business continuity plan templates, it should always be thinking, “What unique-to-us factor must we add? ii)Neglecting Maintenance Decades of industry experience have proven that the BCP that lies forgotten in a desk drawer is of little practical use in a real emergency. iii)Consultant or Vendor Reliability and Contracting Issues Perform due diligence as required for any major purchase to ensure that the consultant or the vendor of recovery services or of business continuity software has a good reputation for support of its embedded client base.
Be sure to review the service contract with an attorney well acquainted with such contracts and the unseen pitfalls that may be present in the “standard” contract (for example, automatic renewal clauses). iv)Concentrating on One Part of the Organization at the Expense of Others All business continuity planning, strategy, implementation, and maintenance must take into account all aspects of business continuity – data, finance, buildings, communications, equipment, personnel, customer service, knowledge assets, etc.
Failure to do this type of thinking could leave a company with, for example, a nice safe data centre but no communications between the data centre and the outside and, perhaps, no way for the workers to get to the data centre because of damage to the surrounding building. Conclusion In the aftermath of the terrorist attacks of September 2001, it will be a rare company indeed that does not need to re-evaluate its current business continuity and recovery plans and contracts very carefully.
Organizations need to review all their security policies and plans. Advisors can assist with baseline assessments and initial plan development. Service providers can manage the plan’s implementation. Organizations need to make the commitment to keep the plans current and test the continuity tactics as often as needed. Business continuity and data recovery planning and management is a core responsibility of every company and requires executive sponsorship to ensure its success.