In my last blog you heard about the basics of incident management. Now it’s time to take it one step further and see what we can do for incidents that cannot be dealt with during the normal course of operations. Business Continuity and Disaster Recovery (BC/DR) is the practice of outlining plans to prepare organisations for any operational disruption from unforeseen events caused by circumstances outside our sphere of control. It includes procedures to restore business operations as best you can within a minimum amount of time.
Continuity = Survival
Some people don’t consider BC/DR as a part of a larger incident management process, instead having a BC/DR strategy that looks ‘just good enough’ on paper and is never tested. These people are digging a grave for their business. Full, proper incident management is essential for a Business Continuity Plan that will actually make a difference. It is comprised of the following three elements:
Risk Management – As mentioned in my last blog, you must identify all significant risks to the organisation. This is a two-step operation: first a business impact assessment will identify exactly what your business can’t do without. Secondly, a risk assessment will establish the loss impacts.
Emergency Planning – Be prepared. Have a plan containing procedures on what to do when an unforeseen event occurs. This is linked to the incident management plan and follows the same multi-step path of preparing, training, communicating, responding, recovering and learning.
Disaster Recovery – A plan that contains procedures on how to recover the technical side of your critical operations. Act on the premise that, however unlikely the disaster, it will eventually happen.
The detailed difference
People often confuse business continuity with disaster recovery, sometimes using the words interchangeably. Strictly speaking, disaster recovery is just a subset of the overall business continuity plan. “Disaster recovery” aims to regain the technical ability to support your critical business operations. On the other hand, “business continuity” has a larger scope that aims to keep all essential aspects of the business alive after a major incident.
What form should my BC/DR take?
This will depend on the disaster scenarios you identify in your risk assessments. By way of example, it might be that you’ve planned for your office being flooded, so your BC/DR strategy will involve relocating your staff to temporary premises and re-routing your phones. If you’re working in the cloud, congratulations: you’ve just saved yourself the hassle of setting up a new IT infrastructure at your DR site and restoring from backups.
When should I hit the panic button?
The plan should be invoked when an incident causes significant, extended loss of the IT environment, prevents employees from carrying out their duties, and/or makes other crucial or services unavailable. Simply put: you’ll need to invoke the BC/DR plan at the point where you’re unable to continue operating business as usual. At this point, your IM teams must assess the incident for its severity and take into account
- Evaluation of the root cause
- Estimated time of outage
- Availability of key staff and service providers
Okay, I’m sold. How can I prepare?
- Start with the business impact assessment. Sit down with every department and identify the assets and processes that are critical to business as usual.
- Assess the risks to these assets and processes. What might happen? Identify all infrastructure, business and human risks.
- Add controls to mitigate the risks to these assets. This could include moving to a cloud-based IT system with local backups, communication plans, and alternative sites to lift-and-shift your operations to, etc.
- Define an invocation procedure and nominate a Business Continuity Manager. They’ll be responsible for co-ordinating the plan and liaising with senior management.
- Outline a recovery strategy. Don’t be too specific on the steps involved, since every scenario varies according to its particular details.
- Test, test & test again. Tests could take the form of table-top exercises, components testing or even full-scale mock disasters.
- Review the whole plan on a regular basis.
Tips to take away
- Get buy-in from senior management. Proper IM and BC/DR takes an investment of resources, time and money. Any Director worth their salt should be prepared to invest in the measures it takes to save their business.
- Have a look at ISO 22301. It’s a Business Continuity Management System and sets a good baseline for best practices.
- A comprehensive, tested BC/DR plan will help you survive the worst, in terms of both brand reputation and financial impact.