With organizations increasingly relying on digital technology, it’s important to have a detailed Business Continuity and Disaster Recovery (BCDR) plan to continue doing business even after a disaster. BC aims to keep mission-critical functions going during and after a disaster, while DR concerns specific steps an organization must take to resume operations. In maintaining a BCDR plan, organizations should test it regularly and update it when necessary.
Steve Bigelow: Despite the ever growing dependency on digital technologies to run any kind of organization, there’s no downtime allowed for mission critical data. downtime can do serious damage to an organization’s bottom line and reputation. In fact, people’s tolerance for non critical data downtime is pretty limited too. In addition, some organizations like government agencies, hospitals, businesses in the financial sector must adhere to regulations requiring businesses to have continuity and disaster recovery plans in place. business continuity and disaster recovery are two closely related practices that help keep an organization running even in the wake of disaster.
Any number of events can throw a business into a crisis mode, a massive power outage, a flood, hurricane or other natural disaster, or a cyber attack that steals corrupts or locks down the organization’s critical data, the world is unpredictable. Here we’ll talk about the importance of having a BCDR plan and how to get there. For a deeper dive. Click the link above or in the description below to explore our complete collection on all things be CDR. business continuity and disaster recovery are closely related, but they’re not the same.
Let’s look at each of them. Business continuity or BC for short, refers to the procedures an organization puts in place to keep mission critical functions going during and after a disaster. B C requires comprehensive planning focused on long term challenges to an organization’s success, disaster recovery or DR is more reactive. Dr. Concerns specific steps an organization must take after an incident so we can resume operations. But both BC and Dr. Focus on unplanned events.
They also share a goal to get the business running normally again as fast as possible. So how does an organization begin building its BCDR plan? It’s useful to break down the process into its B, C, and D R components. Your business continuity plan should contain certain elements like contact information, change management procedures, guidelines on how and when to use the plan, step by step procedures and a schedule for reviewing testing and updating the BC plan. Your disaster recovery plan ought to feature elements like Dr policy statement, guidelines for when to use the plan.
The plans goals, defined responsibilities of the DR team a summary of key action steps and contact information, incident response and recovery steps, authentication tools, geographical risks, and the plans history. your disaster recovery plan should also consider staffing requirements. You want to be sure the personnel who can execute the DR plan are always available if needed. Good business continuity and disaster recovery plans accomplish several things. They are clear about the varying levels of risks to the organization. They provide well defined and actionable steps for resilience and recovery.
They protect the organization’s employees, facilities and brand and they include a communications plan. Your plan could also establish a common set of metrics such as key performance indicators and key risk indicators. In short, a good BCDR plan details actions from beginning to end. The team that builds manages and in the event of a disaster executes a BCDR plan should be cross functional. Drawing upon multiple stakeholders and expert staff from across the organization. Who leads the team depends on the type of organization.
In a large enterprise for example, the Risk Management Officer often chairs the BCDR team, and the vice chair is often someone from the IT department. In smaller organizations, either the CFO or IT department head typically leads the team. Other team members should be representatives from the organization’s key business departments such as finance and accounting, facilities management, legal including in house and outside counsel, marketing, and public relations. Bringing all these stakeholders together to develop a BCDR plan can be a challenge, appointing a project manager to shepherd the process can help.
So you’ve got the team in place. What’s next for First, the BCDR team members should perform the risk analysis and business impact analysis or BIA. A risk analysis identifies the risks and their likelihood. While the BIA determines and evaluates the impact of an interruption on critical business operations. Conducting a risk analysis and a BIA will identify the most critical aspects of the business and how quickly and to what extent they must be running after an incident. Write out the step by step procedures first, then the resulting documents should be consistently tested, reviewed, and updated. Other steps in BCDR planning include creating risk mitigation and Emergency Communications Plan.
The ladder details the method or methods an organization will use to disseminate information on an emergency to employees. Testing the BCDR plan will show if plan recovery procedures should work as expected. But what do we mean by testing? Tests can range from simple to complex? A simple test might be a discussion based tabletop exercise that walks participants through the plan steps. This type of test helps employees with BCDR roles become more familiar with the response process, and lets administrators assess the effectiveness of the current BCDR plan. A complex test would be a full scale test simulation where participants perform their BCDR functions, rather than just discuss them in a tabletop exercise.
These drills might involve the use of backup systems and recovery sites. Not surprisingly, testing takes time funding, management support and employee participation. The testing process also includes pretest, planning, training, test participants, and reporting on the test results. How often to test Well, that depends on the type of organization. larger enterprises should conduct tabletop exercises at least quarterly. Smaller organizations can test less often. A full BCDR test, which is more time and resource intensive, might be conducted annually. An organization setting out to create a business continuity and disaster recovery plan can draw on many types of aids.
They include established standards, templates, software, products, and advisory services. Let’s start with standards. There are government and private sector standards bodies that publish BCDR guidelines. Two prominent ones are the National Institute of Standards and Technology or NIST, in the International Organization for Standardization or ISO. After you have a good grasp on the best standards for your organization to use, look for available templates. Templates are preset forms that organizations can fill out to create BCDR planning documents.
If your organization uses a disaster recovery service provider, they may have a template to use. Specialized BCDR software can also help organizations build a plan. This type of software typically covers BIA and risk assessment and may also help include incident response capabilities. Another option is to outsource the organization’s BCDR needs to a third party firm. But remember, a specialist BCDR planning service can do risk analysis plan development plan may and incident training. But it’s up to your organization to first analyze its needs accurately. Smaller organizations might want to turn to cloud based offerings like disaster recovery as a service or address. With Drass a third party replicates and hosts physical or virtual servers to provide failover in the event of a business disruption. A BCDR plans number one Nemesis is change.
Even the best BCDR strategy backed up with thorough planning and tests must be updated. A five year old BCDR plan is unlikely to be effective in an emergency, so be sure to put a change management process in place. Typically, the change management process covers six major activities, identifying a potential change, analyzing it, evaluating it, planning for it, implementing it, and finally reviewing and closing out the change process. Here are a few developments to keep in mind as your BCDR plan evolves. First, cyber attacks are likely to increase. In many organizations though cybersecurity and business continuity are distinct separate functions.
Think about putting them under the same roof. Second, it’s a Back to the Future scenario with tape storage. Some organizations are already already returning to this method to preserve a copy of their data offline and off site, it’s a tried and true way to isolate files needed for recovery from the corporate network which could possibly be attacked. Third, expect AIS influence to increase AI can help a BCDR team make planning decisions. It could also play a role in conducting Bas and risk assessments.
AI could also support incident response, recommending actions based on the details of unfolding disaster scenarios. Finally, you’ll likely see managed service providers play a bigger role in the future of BCDR. This is especially likely for SMBs that lack internal expertise MSPs can advise clients on BCDR planning and make technology recommendations. Some MSPs offer disaster recovery as a service, others partner with vendors that provide that tool. It’s important to remember that threats and technology aren’t the only changes to keep an eye on an organization changes to acquisitions, divestments, or new lines of business will also demand a BCDR update.