As business processes and their supporting Information Technology (IT) systems become more important to public and private entities, the requirements for an effective Business Continuity/Disaster Recovery (BC/DR) program are becoming more critical. There are many factors to consider when developing an effective BC/DR program. The checklist below can help you get started.
First, high-level definitions:
Business Continuity and Disaster Recovery Program: The overall package; includes everything from the governing policy to periodic testing
Business Continuity Plan: A formalized set of steps that define how an organization’s business processes will be sustained during and after a significant incident
IT Disaster Recovery Plan: A written plan with detailed steps for recovering critical business applications in the event of a major hardware or software failure or the unavailability of facilities
Cold Site: An alternate site that has the necessary electrical and physical components of a computer and/or business facility but does not have the computer equipment or other business requirements in place; to facilitate a cold site, contracts with third-party suppliers would need to be in place for rapid delivery (typical recovery timeline: three to five days)
Warm Site: An alternate site that has the necessary electrical and physical components of a computer facility and is partially equipped with IT and telecommunications equipment to support relocated IT and business operations in the event of a significant incident (typical recovery timeline: two to three days)
Hot Site: An alternate site that is fully operational and equipped with hardware, software, replicated data, and/or business equipment to be used in the event of a disaster (typical recovery timeline: within hours)
So why should you implement a BC/DR program? Three key reasons:
- A major incident/outage of system could have a massive impact on the business if there’s no BC/DR program in place.
- When a disaster occurs, a BC/DR program with a formal process helps you avoid business failure.
- Effective backup and recovery strategies will mitigate the impact of disruptive events.
Plus there are numerous business outcomes from an effective BC/DR program. You can:
- Build a partnership between business units and IT to develop a set of plans and procedures that will maximize the potential of an effective and timely resumption of disrupted critical business processes.
- Coordinate BC planning and IT recovery planning programs on an ongoing basis.
- Minimize potential disruptions.
- Mitigate financial and operational impacts to the business if a major incident occurs at an occupied facility.
- Effectively utilize all available resources for recovery—including facilities, personnel, communications, equipment, and supplies.
The BC/DR Checklist
For a BC/DR program to be effective, it should include the following:
- Business Impact Analysis (BIA) and IT Risk Assessment (R/A). The BIAs and R/As are required to identify and prioritize critical business processes, supporting IT systems, and other components. The BIA and R/A are crucial steps to ensure that efforts are being spent on truly critical business areas.
- Continuity and Recovery Policy Statement and Standards. A formal policy provides the governance, guidance, and requirements necessary to manage an effective BC/DR program. Formal recovery standards define the minimum required for items such as tape backup, hard copy backup, crisis management, application development, and training.
- Preventive Measures. Actions taken in advance to reduce the effects of incidents can also increase system availability and reduce BC/DR lifecycle costs.
- Business Continuity Plan. The business continuity plan describes the steps the business will follow to recover quickly and effectively following an incident.
- IT Disaster Recovery Plan. The IT disaster recovery plan contains detailed steps and procedures for recovering damaged or unavailable IT systems.
- Application Recovery Procedures. The application recovery procedures should be detailed enough that any experienced IT person can recover the business applications. This reduces the need for the on-site support of application programmers, database managers, etc., for recovery. It also allows for the use of third-party providers to recover for you, with minimal knowledge of your systems.
- Plan Maintenance. All plans should be thought of as “living documents” and, as such, should be updated and recertified regularly to remain current with facility and system enhancements.
- Plan Testing and Training Exercises. Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall preparedness.
If you take the time and effort to implement a BC/DR program, you will be better situated to either head off or respond to major incidents that impact your ability to sustain your business.