Confused by the difference between Disaster Recovery Planning and Business Continuity Management? Now let’s add another term – Business Resilience. Put simply, business resilience literally means the ability of an organization to absorb the effects of an undesirable event and maintain operations at or very close to normal levels.
By definition Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) are integral to any and all Business Resilience strategies. The differences between DRP and BCP are distinct:
- BCP is about defining the assets and potential threats that are associated with specific business processes that have the potential to adversely affect the organization as a whole. BCP is proactive in its approach.
- DRP outlines the actions that will be taken in reaction to various disaster scenarios. DRP despite being planned is reactive. DRP often starts with IT, not because it is the only place of focus from a technology perspective but because it is one of the most obvious places to start.
Any business that utilizes technology as some part of their core business must account for that technology in the Business Continuity Management (BCM) and DRP planning process.
Business Continuity Management
Business Continuity Management is the structured framework that an organization puts in place to defend against potentials threats, whether they be financial, technical, social, political or environmental. Business Continuity Management (BCM) is used to identify the core business processes an organization must protect. It does this by:
- Anticipating potential threats to those processes
- Predicting the potential impact of these threats on the way the organization does business
- Defining processes to remediate and resolve those problems. Establishing methodologies for testing and improving this step over time.
That last bullet is key – this is not a one-time process. It is living – it will constantly need to evolve as the business evolves.
The information technology portion of Business Resilience is the Disaster Recovery Plan (DRP). DRP includes hardware and software required for all business critical applications and the associated processes. There are two good indicators for any DRP:
- Recovery Time Objective (RTO) – is the maximum tolerable length of time that a computer, system, network, or application can be down after a failure or disaster occurs.
- Recovery Point Objective (RPO) – is the maximum targeted period in which data might be lost from an IT service due to a major incident.
DRP is a senior management function and cannot succeed without top level support. Recognition of the need for such a plan must be present at an early stage, no matter who stimulates this awareness. Senior management has to understand the business impacts and risks specific to each area. Firstly, it is important to outline some disaster scenarios – flood, fire, storm, cyber crime, cold winter weather, extreme heat, loss of key staff etc. For each scenario the following should be considered:
- How much of the organization’s resources could be lost?
- What would be the total cost?
- What efforts would be required to recover?
- How long would it take to recover?
- What is the impact on the overall organization?
- How are the customers affected, what is the impact on them?
- What is the reputational cost to the business? The share price/market confidence?
Disaster Recovery Planning Process
With management sign off the planning process can begin. It is a simple process and should include the following:
- Risk assessment
- Business impact analysis
- Determine the RTO/RPO requirements
- Define the recovery process
- Develop DR plan
Business Continuity Management and Disaster Recovery Strategies
The following outlines a list of best practices for BCM and DRP deployment:
- Document key personnel and their backups. These are individuals without whom the business cannot function. Make this list as small as possible.
- Identify personnel that can telecommute. Ensure that it is documented who can effectively work from home and who cannot.
- Verify that all key personnel (outlined in point 1.) can telecommute. Consider assuring if necessary.
- Document all external contacts and create a “key contacts” list. Contacts to consider: attorneys, bankers, IT consultants, shipping/logistics companies, utility companies, other companies that might be needed for operational functionality.
- Have your technology partner document your technology equipment. This can include software.
- Identify critical documents and ensure that they are being backed up with a suitable solution. Documents could include article of incorporation and other legal papers, HR documents, building lease papers, tax returns etcetera. Click here for more information on this.
- Contingency equipment – where would you get new computer hardware?
- Contingency location – where are you intending to continue business operations if your office is destroyed? Everyone telecommutes, hotel, technology partner’s office?
- Step by step guide – who does what, and how are they going to do it? For example, list out all the responsibilities and write the person who is assigned to that task next to it. Also write it in the reverse so that if you look up the employee you can see the task(s) they are responsible for.
- If the BCP is in disparate locations, it is of no use. Ensure that electronic versions and printed versions are put in folders and distributed to the key personnel. Make sure that they are given two copies, one for home and one for the office.
- Communication is key – make sure everyone in the organization knows the BCP. Hold an annual training session, and have all staff sign a short memo stating that they have been through the training.
- Test the plan. You identified the data, locations, personnel, contacts, service providers, and you’ve documented it, but does it actually work? It is a good idea to periodically let everyone know what will happen, including your customers, contractors and vendors, and on that day act as though your building got destroyed. Better to find out what you missed when it is just a test than when it is an actual disaster. If you have to make major changes run the test again a few months later.
- Have a plan to change the plan. During the disaster there may be other issues beyond just your office. E.g. your plan to telecommute isn’t going to work if the power goes out at your home as well as the office.
- BCP and DRP documentation is going to constantly be updated. If anything changes then the documentation will, too. Review and revise regularly.
It is imperative to incorporate Disaster Recovery and Business Continuity Planning into your business. If maintaining the integrity of your data is important, then contact The TNS Group to learn more about the planning process.