Then something happens, say a global pandemic. An environmental incident. A fire or flood. A cyberattack. An active shooter tragedy.
The proactive, well-managed organization is ready, rehearsed and responsive with business continuity plans and disaster recovery plans—different yet complementary—in place and appropriately implemented, whenever and wherever emergency conditions are indicated. These organizations know how rapid risk assessments, clear, responsible lines of authority, solid decision-making and constant communications, are essential to continue, shift or restore business operations. And honesty and transparency when disaster strikes, about its impact, and the path forward, can make the difference–short and long term—for employees, customers, suppliers, the ecosystem that is an enterprise today.
Requiring and Defining Business Continuity and Disaster Recovery Plans
So, what are the key elements of business continuity and disaster recovery? What’s involved in the planning process? And is it a requirement for business organizations? Well, to handle that last question first, the answer is quite simple: Yes. The U.S. Occupational Safety and Health Administration (OSHA) requires companies with more than 10 employees to compile business continuity plans (BCP) and Disaster Recovery Plans (DRP) to comply with its Regulation 1910.38 Emergency Action Plans. The agency emphasizes the importance of these measures in terms of safety and the responsibility of a business to safeguard life and property of the enterprise and its employees.
While business continuity and disaster recovery plans are two separate types, they can be very complementary as there are many similar concerns for each. And, some processes and characteristics do overlap. The plans both deal with urgent, unexpected situations, such as the following developments, that may lead to negative impacts to operations, financial resources or reputation:
- Death or significant injury to leaders or employees
- Damage to business property
- Environmental damage in communities
- Business closures
- Work or service stoppage
- Severe, swift financial or economic shifts
A BCP is a predefined approach and procedures for how an organization will continue to run when coping with an emergency. A DRP is a predefined approach and procedure for restoring the organization to full functionality, and minimizing impact, after a disaster, whatever the cause. While a BCP focuses on defining how business operations should function under abnormal circumstances, a DRP focuses on getting applications and systems back to normal.
Business Continuity Planning Priorities
There are several key factors to consider in BCP. Anything having to do with employee and/or customer safety and security are top priorities. In addition, business continuity planning also should focus on these major challenges, among many issues:
- Business operations and durations without tools, assets, locations, local employees or any other basic essential elements
- Contingencies and outcomes when access to facilities, servers, customer records, or other information is limited or impossible, short- and long-term
- Business operations without or with limited utilities, such as communications, water, and electricity, or the use of generators
- Prioritizing processes and workflows to maintain mission-critical operations on a limited basis
- What scenarios would create the greatest disruption to the organization and/or be more likely to occur.
The central BCP theme and planning activity for an enterprise, of course, is risk assessment and mitigation. Steps to assess various risks could include:
- Estimate the likelihood of the event based on data, such as the historical frequency of natural disasters in an area
- Define risk categories, such as operational, legal, financial, reputational, or security
- Gauge the impact to assets or processes based on the defined risk categories. As just one example, a natural disaster that causes a server outage may affect a public website and e-commerce platform, which can dramatically impact revenue, partner relationships or both.
- Create mitigation and contingencies, such as work-at-home approaches, system backups and alternate operating locations.
Processes and Procedures
Minimally, a BCP should define processes and procedures for the following:
- Assessing and planning for threats to business operations
- Maintaining operations and meeting obligations during emergencies
- Plan tests, including test types and schedules, roles and responsibilities, and documentation requirements
Contacts and Communications
BCP should devote substantial attention to contact and communications processes, spokespeople, roles and responsibilities. Primary and secondary points of contact should be determined internally and externally, and in each case executive leaders should be visible and vocal. Templates, key messaging, draft communications and schedules should be modeled and ready to deploy in the event of an emergency. These steps can help assure plans are enacted and address employee, customer, partner and public concerns, among key audiences. At the same time, contingencies and mitigation should be set up in case communications systems are inaccessible.
Initial and ongoing outreach to important vendors and contacts should also be well-documented in a BCP. These entities could include:
- Banks and financial institutions
- Computer and IT backup support providers
- Legal advisors
- Government entities and regulators
- Building contractors
- Fuel companies
Disaster Recovery Planning
With organizations wholly reliant on technology, DRP often concentrates on support for and a return to fully functional IT systems. Critical systems should be prioritized based on customer needs and regulatory requirements, among other factors.
A DRP and BCP share many elements to be defined and documented. Key DRP elements can include:
- Business Impact Analysis (BIA)
- Assumptions and constraints
- Data and system backup plan
- Damage and impact assessment
A Business Impact Analysis (BIA) is essential for determining and evaluating the effects of an interruption to critical business operations. The BIA assesses a disaster’s impact over time and helps establish recovery strategies, priorities, and requirements based on system criticality. Business leaders and management should be involved in determining the system recovery priorities as the BIA will be used to document the critical systems, document dependencies with other systems, and prioritize the system recovery efforts.
Data Backup Plan and Response Action Plan
Disaster preparedness is rooted in an agreed-upon backup strategy that addresses acceptable recovery time and data loss, adequate system redundancy, and sound data restoration processes. The data backup plan details the backup strategy to ensure that data is available in order to restore systems during emergency and nonemergency situations.
This plan outlines the backup strategy for all critical systems identified in the BIA. The recovery and response action plan provide detailed steps on the recovery procedures that need to be performed in order to restore systems and data. The recovery steps are critical as they will help guide staff in the steps necessary to fully recover a system.
Communication Processes, Roles, Responses
Just as in BCP, the many facets of communications are critical. Communication is a key process during the recovery effort so recovery teams understand their roles and responsibilities. A Disaster Recovery Coordinator (DRC) should be established, along with a backup to the DRC. This person will be responsible for coordinating, communicating, and managing staff during the recovery efforts.
An Emergency Response Team (ERT) should also be documented as these personnel will be responsible for the recovery of the systems. They will need to prepare the recovery site for operation, coordinate recovery steps and activities, interface with system vendors, and ensure recovery is complete once systems are restored. Some organizations implement an IT command center with cross-functional representation.
Planning to Understand and Manage Third-Party IT Risk
DRP approaches put the spotlight on assessing, managing, even avoiding risk. With IT’s interconnected world, risks can be posed by third parties, such as service providers or vendors. These third parties can play a significant part in the overall risk for an organization based on the types of data they have access to or handle. They can also be used to provide recovery services or high availability for systems that need to meet high levels of up time.
For companies serving highly regulated industries, such as healthcare, financial services, and utilities, third-party risk management often includes assessing BCPs and DRPs. By documenting and testing these plans, organizations are better equipped to meet the expectations of those they serve.
Plan the Plan with Experts
When, where and particularly how and how well an organization responds during an emergency situation or other unexpected event can range from dramatically positive to drastically negative. It can make the difference in how quickly an enterprise can resume operations, reassure its business ecosystem and keep the focus, or perhaps realign, its prospects for future success.
Organizations look to business continuity and disaster recovery planning experts to give added rigor, objectivity and integrity to these plans, planning processes and documentation. The Alchemi Advisory Group can bring experience in business operations and technology audit and assessment, to create the customized framework, fine details and every facet needed for business continuity and disaster recovery processes and positive results.