Business Continuity and Disaster Recovery — Let’s Cut to the Chase
- “Business continuity” involves critical business functions, while “disaster recovery” focuses on technology infrastructure.
- Follow core fundamentals for developing an effective business continuity plan, and train your staff on its use.
- Test your plan on a periodic basis, and maintain its ability to adapt to changes in technology and industry.
Need a second opinion on your organization’s financial health?
Search “business contingency/disaster recovery plan” and you’re likely to experience information overload. Let’s sidestep the noise.
The terms “business continuity” and “disaster recovery” are often misconstrued, and understanding their definition is an integral first step in contingency planning. Which begs the question, “What’s the difference?"
- Business continuity is enterprise driven, focusing on maintaining and streamlining recovery of your organization’s critical business functions.
- Disaster recovery is narrower in nature, focusing specifically on the preparation, continuation, and recovery of your organization’s technology infrastructure. Therefore, disaster recovery is a subset of your organization’s business continuity plan.
Now that we’ve cleared up the nomenclature, let’s review the core fundamentals of a business continuity plan — and how disaster planning is incorporated.
1. Risk assessment — A solid contingency plan assesses your organization’s greatest business exposures and identifies the most likely and impactful threats that could disrupt operations. Using a scoring matrix, a risk assessment ranks potential business disruptions based on likelihood, duration, and severity of threat. It considers natural, technological, and human scenarios that may affect your organization, customers, and critical vendors.
2. Business impact analysis — This is the most crucial and beneficial building block for planning and prioritizing disaster recovery. A business impact analysis can assess the value of each business function as it relates to the operations of your organization as a whole. It can also reveal whether recovery time objectives (RTO) and recovery point objectives (RPO) are being reached, and where workarounds are available.
3. Gap analysis and preventive controls — Once your organization has identified its greatest risks and set priorities and expectations for recovery, it’s vital to assess where gaps exist. Examine strategies to implement preventive controls, and consider investments to further mitigate risks and reduce threats.
4. Policy statement — A policy statement is a blueprint of specific guidelines for plan development. It provides clear direction and expectations to help minimize on-the-fly decision making. It should pragmatically lay out authority and responsibilities, and include terms for security, change control, communications, response, and notification.
5. Plan development — Now it’s time to document procedures for executing priorities, delegating responsibilities, and specifying required resources. Procedures must be:
- Specific about when and how to implement
- Focused on how to efficiently and effectively return to operations
- Flexible in considering unanticipated threats and business changes
- Effective at minimizing disruption and financial losses
Your organization may want to write its plan based on threat scenarios that pose the greatest risk to critical business functions such as:
- Unavailability or loss of critical resources: personnel, facilities, hardware, software, or data
- Inaccessibility to third-party providers for software, telecommunications, data, or power
- Latency of network resources: data lines, phones, applications, or websites
- Liquidity constraints: internal, third-party vendors, or customers
6. Plan training — To effectively execute the plan, staff should be educated on procedures, responsibilities, and overall expectations. Training will help prepare staff before an event occurs, enhance their participation in required testing efforts, and support risk mitigation efforts.
7. Plan testing — Plan resilience should be validated on a periodic basis. Are disaster recovery plans reliable? Are set RTOs and RPOs realistic? Are the procedures well documented and easily executable? The best way to know is to test them, document the results, and readjust the plan accordingly.
8. Plan maintenance — Finally, don’t fall into the set-and-forget trap. Technology and competition will continue to challenge business strategy and daily operations, which means your organization should continually reform and validate its contingency plan and disaster recovery needs.
How we can help
Doing a bit of work now to safeguard your organization into the future, even in the face of a disaster, can save you effort in the long run. In the short-term, this preparation can also help you gain peace of mind. CLA’s business continuity planners can work with you to develop, document, and analyze procedures for disaster response, recovery, and restoration.