The Disaster Recovery Institute, in its 2019 predictions, has published a list of potential disasters that could disrupt the world. Some of these are pretty dramatic but realistic nonetheless.
The list covers natural, political, economic, and other kinds of human-made disasters. While nobody can tell which disaster will occur and when it’s reasonably certain that there will be significant disruptions.
The question is: which businesses will be impacted. And, to that, the answer is – all organizations are equally exposed, equally vulnerable, and hence, equally responsible for proactive business continuity efforts.
And that’s where we intend this guide to act as a refresher for executives and business leaders who are already versed with the concepts of business continuity.
Plus, we hope this serves as a roadmap for those looking to understand how the concepts of business continuity can help then make their businesses more secure and better prepared for the unknown.
Here are the 10 most essential concepts of business continuity:
Resilience, Recovery, and Contingency
Businesses have to be equipped with tools, technologies, processes, and leadership vision to tackle disasters as and when they strike. They can minimize their losses only if they can rise to the situation and continue to operate effectively even in the event of a catastrophe.
Resilience focuses on:
- Identifying critical elements of business
- Mitigating risks
- Engineering systems for high availability and the capability of recovering quickly
- Ensuring business resumes to normalcy after disaster strikes, as soon as possible
Recovery focuses on:
- Relocating systems, if needed
- Planning to ensure optimized use of limited resources in a disaster situation
- Creating backups
- Determining the level of availability/performance for systems to be deemed ‘recovered
Contingency planning focuses on:
- Developing a contingency planning policy
- Conducting business impact analysis (BIA)
- Putting preventive controls in place
- Creating contingency strategies
- Developing a contingency plan for information systems
- Ensuring planning, testing, training, and drills
- Ensuring plan maintenance and upgrades
By imbibing resilience, recovery, and contingency in the BCP, the downtime of a business is reduced significantly.
Business Impact Analysis (BIA)
Business Impact Analysis plays a pivotal rule in BCP. The steps involved in creating a BIA are simple.
- The first step is to gather information around the kind of threats that an organization is prone to.
- The next step is to associate each of these calamities with a probability factor.
- Rank them in descending order.
- According to the nature of the hazard, prepare a detailed report involving the type, possible after-effects, and how to cope in such an event.
- After signing this off with the senior folks of the organization, a BIA is set in place.
Business Continuity vs. Disaster Recovery
Business continuity is a detailed plan of action an organization will take to ensure that its regular operations continue even when a disaster strikes. It has a much broader scope than disaster recovery.
Disaster recovery is best understood as a subset of business continuity planning and aims at reducing the downtime to a minimum. Disaster recovery is imperative to ensure that business continuity is not lost in a crisis.
It includes tools, policies, infrastructure, or technology that is deemed necessary to restore a business to normalcy.
Recovery Time Objective
In the event of a hazard, it is essential to recover any data that is lost in the process. Recovery Time Objective (RTO) refers to the maximum time allowed to restore a business or a website to its fully functional mode after a disaster, such that the downtime remains ‘tolerably’ low.
Lower your process’ tolerance for downtime, shorter the allowed duration of RTO becomes.
Further reading Recovery Time Objective (RTO)
Recovery Point Objective
Recovery Point Objective (RPO) is a measure of ‘how latest and updated’ the files must be, which, when recovered, ensure normal operations. RPO is expressed in ‘past time,’ with reference to the moment at which the disaster/downtime occurs. The unit of measure is hours or minutes.
A low number on this metric indicates a robust BCP.
Further reading Recovery Time Objective (RTO)
Roles and Responsibilities
A BCP is effective only when the team that manages it is clear on the different roles that must be played, and who plays which role when the disaster strikes.
Your business continuity plan is a living document and must be regularly updated. Relevant teams must be well aware of the latest version of the plan, and any changes in roles and responsibilities it implies.
To make sure everybody is equipped to perform their respective roles, conduct dry runs, simulations, plan reviews within team members.
Recovery Procedures and Checklists
Recovery procedures are a set of documents that explain how to cope with a disaster and recover from its after-effects.
It specifically caters to the IT department and covers rules such as keeping the server room safe from fire and physical damage, having proper backup for data and easy restoration.
It also involves regular inspections and scouring for possible vulnerabilities to keep the company’s IT ecosystem safe.
Checklists are the ideal planning documents that help executives ensure their organization’s IT systems comply with the recovery procedures.
Further reading Disaster Recovery Planning Checklist
Response and Recovery Log
Response and recovery logs refer to documents that record the details of the hazard.
A response log registers:
- The type of hazard
- Who/what was affected
- The damage incurred
- The plan that was followed
Recovery log records:
- How long it took for the business to restore itself to normalcy
- The steps carried out
- Information regarding the breakdown of the different operations and their recovery times
Change Management and Business Continuity & Disaster Recovery (BCDR) Testing
Any disaster management plan is effective only when it is subject to continual testing and improvement.
The same holds for BCDR testing. Some of the methods that can be implemented to test the effectiveness of a BCDR plan are:
The BCDR plan has to be reviewed multiple times and with different stakeholders to assess its effectiveness and usefulness.
Seek assistance from disaster management experts who will be able to see through any loopholes and fine-tune it.
Mock drills of the disaster recovery exercise are a great way to prep the staff for any unanticipated hazard. This will also help identify any bottlenecks in the existing plan and make it robust.
This involves going through every step of the BCP with every staff member by the disaster management team. This ensures that everyone is armed to face any calamity. It also helps in identifying people who may not have enough information and in turn, train them to brave the hazard.
Latest Business Continuity Standards
Irrespective of the scale of hazard, business downtime means loss of time and money. As the nature of threats keeps on changing, so does the state of business continuity standards.
ISO 22301 is a management system process that helps in ensuring business continuity in the time of a calamity.
- It helps in identifying the potential risk factors and the kind of hazards that the business is vulnerable to.
- The next step is for the business to identify critical operations that cannot suffer as a result of a catastrophe.
- Once a business identifies that it is imperative to keep them running in the event of a hazard and minimize the impact.
- The last step focuses on recovering quickly and demonstrating this ability to mitigate a disaster to clients and partners.
- This framework ensures that business doesn’t suffer a setback due to any calamity.
BS EN ISO 22301:2014 is another business continuity planning standard, released by British Standards Institution (BSI), and endorsed by British organizations.
Abrupt calamities cannot be predicted. But that doesn’t mean that they can be eliminated while planning to run a business. It is vital to account for unforeseen extremities and have a plan in place.