Business continuity and disaster recovery have often been used interchangeably, but they differ regarding their policies and technology involved. Business continuity can best be described as the “the ability to maintain operations/services in the face of a disruptive event” (DuBois, 2011). On the other hand, disaster recovery can be described as the “coordinated activity of recovering IT systems following the complete or partial loss of a site due to a natural disaster or a security event” (DuBois, 2011). The ideal components of an enterprise business continuity and disaster recovery plan are discussed below.
Risk Assessment and Business Impact Analysis (BIA)
Risk assessment and BIA would be the first step towards achieving the best business continuity and disaster recovery plan. Once efficiently done, it will help determine the business continuity and disaster recovery strategies and responses. The objectives for risk assessment and business impact analysis are identification and prioritization of credible threats and the analysis of legal, regulatory, financial and operational impacts and determination of recovery objectives (Bronson & MacDonald, 2014). According to Bronson and MacDonald (2014), these are the leading practices that can be involved in risk assessment and BIA may include:
Delegate your assignment to our experts and they will do the rest.
Risk Assessment investigates inherent risk levels based on specific and credible threats by measuring both likelihood and severity of event occurrence.
Risk Assessment reviews mitigating controls and countermeasures applicable to each threat and estimates residual risk levels.
Risk Assessment defines a "geographic scope of disruption" as a guideline for locating alternate facilities to ensure that primary and backup locations are not simultaneously disrupted by a common threat event.
BIA assesses financial, operational and regulatory/legal impacts and management tolerances for disruption resulting from a “worst case” scenario.
BIA analytically defines recovery objectives based on measured business impacts and management tolerances for disruption. These objectives should include both requirements for recovery times and data recovery.
BIA establishes minimum operating requirements that must be restored to satisfy business needs.
The results of the BIA are then used to determine the next recovery objectives. The recovery objectives assessed include recovery time objectives (RTOs) and recovery point objectives (RPOs). Recovery time objectives (RTOs) are the basis for recovery strategies and refer to the time span that systems and functions need to be recovered after a disruption. Recovery point objectives (RPOs) are the basis for backup strategies and refer to the point in time point in time in which systems and data must be recovered after a disruption (Bronson & MacDonald, 2014).
Business Continuity Strategy
This is the next step after risk assessment and BIA. It provides methods that can be used by an organization to meet its recovery objectives. The main objectives of any business continuity strategy are to confirm that the recovery objectives and strategies are effective for both business and information technology (IT) recovery. According to the Tech Target Special Report on Essential Guide to Business Continuity and Disaster Recovery Plans (n.d.), some business continuity strategies include:
Evacuation of staff to a pre-arranged alternate work area if the alternate site has been prepared or make necessary arrangements for one. Transportation should be provided to meet the recovery time objectives (RTOs).
Moving of alternate staff into leadership roles if key leaders are absent. This strategy is succession planning and ensures that the replacement of a key senior manager is done with minimal disruption.
Working from home after ensuring that the staff has Internet access and there are enough network access points to accommodate the increased usage.
Business continuity can also be achieved using a standard approach. This approach would involve following laws, regulations and guidelines provided for by bodies such as:
ISO 23011 – Business Continuity Management Systems which allows the institution of a process that includes IT disaster recovery, crisis management, and business resumption planning.
CobiT v5 – Control Objectives for Information and Technology which allows for the review of service level agreements between the external partners and the organization.
Health Insurance Portability and Accountability Act (HIPAA) of 1996 which requires an emergency mode operation plan and reasonable and reasonable measures that are appropriate for the size and resources of the organization (Noakes-Fry, Baum & Runyon, 2005).
Disaster Recovery Strategy
As discussed before, disaster recovery mainly focuses on the IT systems. According to the Tech Target Special Report on Essential Guide to Business Continuity and Disaster Recovery Plans (n.d.), some disaster recovery strategies include:
Activation of backup and recovery facilities in secondary company data center. In this case, all production is moved to the new site that must be equipped with sufficient resources such as server hardware and storage capacity.
Activation of recovery resources in a cloud-based service. Measures are put in place to failover the critical systems to the site to resume operations.
Recovery of virtual machines (VMs) at an alternate site if virtual machine clones have already been cloned at the site. These VMs must be updated in to ensure they are ready for use in production.
Plan Development & Strategy Implementation
This step involves making the strategy and recovery capabilities of any enterprise possible. To achieve a great plan development and its subsequent implementation, crisis management, and response and recovery teams could be set up, and procedures for communicating with employees and business partners put in place (Bronson & MacDonald, 2014).
Training and awareness programs are also necessary to ensure that the employees are well acquainted with the plan. However, regular testing of the plan is what provides a credible degree of recovery preparedness (Lapkiewicz & Fraczkowski, 2002).
References
Bronson J. & MacDonald T. (2014). Business Continuity and Disaster Recovery: Employee Compensation Guide. Risk Management Trends, Considerations, & Leading Practices. Protiviti. Retrieved 7 January, 2018 from http://www.ucop.edu/ethics-compliance-audit-services/_files/webinars/11-13-14-audit/business-continuity.pdf
DuBois L. (2011). Best Practices in Business Continuity and Disaster Recovery. Riverbed Technology. IDC. Retrieved 7 January 2018, from https://www.action-one.ch/fileadmin/template/downloads/loesungen/riverbed-english/Riverbed_WP_IDC_Best-Practices-Business-Continuity-DR_EN.pdf
Lapkiewicz J.H. & Fraczkowski K. (2002). Business Continuity and Disaster Recovery -Strategic Imperative for the Enterprise Management. PLOUG. Retrieved 7 January 2018, from http://www.ploug.org.pl/wp-content/uploads/ploug-konferencja-08-Lapkiewicz.pdf
Noakes-Fry K. Baum C.H. & Runyon B. (2005, July 11). Laws Influence Business Continuity and Disaster Recovery Planning Among Industries. Gartner. Retrieved 7 January 2018, from https://www.gartner.com/doc/483265/laws-influence-business-continuity-disaster
Tech Target (n.d.). Special Report: Essential Guide to Business Continuity and Disaster Recovery Plans. Retrieved 7 January 2018, from http://www.rbzaneadvisors.com/pdf/051914/Tech%20Target%20Disaster%20Recoveryand%20BusContinuity%20Guide.pdf
