Business continuity and disaster recovery plans are the first line of defense in the aftermath of a disruptive event. After an unexpected catastrophe, these plans -- especially ones that are properly documented and regularly exercised -- help organizations greatly increase their chances of resuming normal business operations quickly and with minimal interruption.
Business continuity and disaster recovery plans can provide a competitive advantage, especially as major organizations increasingly require them as part of vendor selection and contracting processes. Without the plans, organizations risk sanctions, fines, loss of customers, lawsuits and even going out of business following an unexpected event.
In this Q&A, independent consultant and auditor Paul Kirvan discusses the traits of a solid business continuity and disaster recovery plan, where organizations should start when developing their plans, and how to use cloud-based services for your disaster recovery and business continuity needs.
More on business continuity and
Gains and losses for disaster recovery management
Developing a disaster recovery and business continuity training program
Paul Kirvan: Among the key characteristics -- and these are not necessarily in a specific order of importance -- are:
- Up-to-date contact lists -- both internal and external -- so plan activation can proceed quickly and smoothly.
- Documented and easy-to-understand procedures on how to respond to specific situations -- examples can include evacuation plans with assembly points, recovery of servers and recovery of voice and data communications.
- Regular exercises to validate plan procedures will work as designed.
- Trained and motivated emergency response team members who know their roles and responsibilities in an emergency.
- Advance arrangements with third-party organizations to provide emergency support services, such as work areas for temporarily displaced employees and rapid replacement of damaged equipment and furniture.
- Advance arrangements for obtaining cash and other financial instruments to maintain payroll and other key business activities.
- Awareness and understanding of the business continuity and disaster recovery plans by local first-responder organizations.
- Administrative and budgetary support from senior management for a business continuity and disaster recovery program.
What business areas and processes do companies have to take into consideration when developing a disaster recovery and business continuity plan? Why are these areas and processes important?
Kirvan: Careful research into the business and how it works helps define business continuity and disaster recovery plans. This information is usually captured by performing a business impact analysis. Typically, all department leaders and senior staff within the organization are interviewed to learn what their business unit does and how it operates; how it contributes to the company's success; what organizations (both internal and external) it depends on for normal operations; what technologies, applications and systems are needed to perform daily activities; the data, such as files and databases, needed to conduct business; and the timeframes in which the business unit needs to be back in operation and have access to its data before its loss could have an adverse effect on the overall organization's ability to conduct business.
Many organizations are considering a hybrid approach, blending the resources in primary data centers with the backup capabilities of a cloud-based solution.
independent consultant and auditor
This information is then used to identify the most critical business activities or processes; how quickly these processes and associated systems need to [be] back in service following a disruptive event; and alternate arrangements that could be launched to recover business operations.
Another important research activity is a risk assessment, which examines internal and external situations that could threaten the organization's ability to conduct business. It also identifies both perceived and actual vulnerabilities to the organization that could make threats become realities. This information is analyzed along with findings from the business impact analysis to provide an overall risk profile of the organization.
Are cloud solutions a viable option to help with disaster recovery and business continuity? If so, how?
Kirvan: Cloud-based solutions for disaster recovery and business continuity provide another option that can help an organization recover from a disruptive event. Cloud-based business continuity and disaster recovery solutions currently provide additional data processing and storage options so business operations can resume and critical data can be quickly recovered following an incident.
For example, let's assume you want to ensure certain key business activities, such as payroll and currency trading, experience minimal or no disruption or downtime following an incident. You can define a cloud-based service that can quickly recover and restart these critical applications, as well as load the data needed to handle the system requirements. This can be done without the need for physical space for servers, peripheral systems, or even network connectivity. It can all be resident in a cloud-based service, ready to go when needed. Ideally, cloud-based solutions can provide another line of defense to back up existing IT operations. Many organizations are considering a hybrid approach, blending the resources in primary data centers with the backup capabilities of a cloud-based solution.