According to Gartner, 50% of all businesses fail after experiencing a major disruption. The lack of planning and preparation for these disruptions can cause a major blow to a business, which may include losing its customers, assets, personnel, etc. A business is more likely to recover if it has a plan and has taken into account all the areas on which its business depends on to function normally.
In the past (and probably some organizations are still doing this today), IT Disaster Recovery has been part of the IT department’s responsibility. IT’s primary focus for IT DR was to ensure that they pass their annual audits. Unfortunately, I believe there might still be some confusion on the part of business owners thinking that business continuity management and planning is strictly planning for IT Disaster Recovery and is an IT problem. How unfortunate, because IT Disaster Recovery Planning (DRP) is merely just a subset of the whole scheme of Business Continuity management. DRI International defines Business Continuity Management as a holistic management process that identifies potential impacts that threaten an organization and provies a framework towards building resilience with the capability for an effective is defined as Today’s business environment is more demanding and complex, compared to the old days. We continuously face challenges in delivering services to our customers in real-time and have less tolerance for disruptions.
There are many publications available that speaks about Business Continuity Management (BCM). Some of the better ones are: The Professional Practices from bodies such as DRI International, an article called “Establishing a Corporate Business Continuity Program and Continuity Program Office” by Robert E. Duncan and Bill Dimartini, as well as MAS (Monetary Authority of Singapore) Business Continuity Management Guidelines. Essentially, the primary objective of BCM is to enable the Executive management to continue to manage the business and its operations under adverse conditions, through introduction and adoption of resilience, recovery and continuity strategies and plans.
A typical BCM program is usually initiated and supported by Executive Management. Like I mentioned earlier, an IT DRP is merely a subset of the BCM program. Management support is a critical success factor for BCM and a BCM program can never be initiated by mid-managers or IT department and expected to succeed without adequate executive management support.
The second stage is where we determine the risks (events or surroundings) that can adversely affect the business and its resources such as people, facilities, technologies, due to disruptions. We’d estimate the impact to the business, potential loss of such events, required controls to avoid or mitigate such risks, quantifying and qualifying the risks through a Business Impact Analysis (BIA), and finally using the data to establish a set of recovery objectives which needs to be approved by Executive Management. Recovery objectives exists in the form of RTO (Recovery Time Objective) and RPO (Recovery Point Objective) – you can find their definitions here. Then, using the outcome of the BIA and risk assessment / evaluation, we begin to develop and recommend business continuity strategies that is aligned to the approved RTO and RPO. This is important, because a stringent and tight recovery objectives will lead to adoption of a more complex and detailed strategies which is likely going to be more costly to implement.
The next step is to identify the organizations’ readiness to respond to an emergency in a coordinated, timely and effective manner. And we start developing the procedures and plans, and begin to design them, implement them and test them. There will also be a need to prepare a communications program to bring the organization to a level of awareness and enhance the skills required to implement and maintain the plans and procedures.
It is necessary to establish an exercise/testing program which documents plan exercise requirements including the planning, scheduling, facilitation, communications, auditing and post review documentation, and a maintenance program to keep plans current and relevant. Besides that, it is also necessary to have an audit process which will validate compliance with standards, review solutions, verify appropriate levels of maintenance and exercise activities and validate the plans are current, accurate and complete.
One aspect which is often neglected is the communications in times of crisis. This can be remedied by developing and documenting the action plans to facilitate communication of critical continuity information. The communication plan will help educate all relevant parties to coordinate and exercise with stakeholders and the media to ensure clarity during crisis communications.
Tags: Availability, Continuity, Disaster Recovery, Security