Business continuity and disaster recovery plans are documents that help businesses to overcome or reduce the impact of serious events. They are related but they are not the same.
What does Business Continuity Plan do?
Business continuity is concerned with the continued operation of business services even when key support technology has failed. As an example, a business may have procedures on how to manually charge credit cards if the electronic point of sales devices cease to operate. The business continuity plan simply provides alternative ways to operate in the absence of regular support systems.
What does a Disaster Recovery Plan do?
A disaster recovery plan is concerned with the restoration of services when there is a monumental failure. As an example, a business may maintain off-site backups that can be used to restore key systems in another location if the main data center is flooded.
What is the difference between the two?
Because business continuity plans must often be invoked in the event that a disaster strikes the two plans are often merged into what has become known as the BCDR plan.
But in practice they each apply to different scenarios. Business continuity plans help staff to continue to deliver busiess services when key systems have failed. And a disaster recovery plan helps to restore key systems to normal operation after a catastrophic failure.
It is possible that a business continuity plan be invoked without the need for disaster recovery. For example, if a key system is shut down for a prolonged period of time due to a major upgrade business continuity plans may be invoked in order to reduce the impact on business services.
Key elements of a Business Continuity Plan (BC)
The BC plan should include all the information necessary to enable the business to continue to function such as contacts, processes, plans, documentation and access requirements.
One key consideration when creating the BC plan is the availability of key staff. This is because events that are significant enough to invoke a BC plan also have the potential to affect staff on a personal level. Fires, floods, health related outbreaks or security incidents are just some events that may prevent key staff from attending the workplace.
When do you invoke a BC/DR plan?
It's important to document the conditions that trigger the application of the business continuity and disaster recovery plan. The regular decision makers may not be available during a disaster and staff need to understand when it is appropriate to invoke such a plan. Serious events that may warrant the use of BC/DR include;
- Environmental disasters
- Serious health related outbreaks
- Hardware failure
- Deliberate physical or electronic attacks
- Loss of core services such as electricity
Triggers to invoke BC/DR plans vary depending on the type of business and the pressure to continue to operate. For example, a retail outlet will likely have much more capacity for downtime than a hospital.
Adapting to chaos, procedures during an emergency
Some critical incidents occur suddenly and unexpectedly. This can cause chaos and hamper the decision making process. Ensure BC/DR procedures clearly explain the assignment of roles, responsibilities. Change management and workflow approvals are prime examples where processes and procedures may need to be adapted in order to cater for reduced communication capacity between staff.
A communication plan
Clear communications can help to reduce damage and speed up the restoration of services. Key contacts, alternate communication details such as mobile phones, home phones, pagers, satellite phones or radio should be specified in the plan. The format of the communication is also important and should also be identified in the communication plan.
The purpose is to enable management and leaders to receive and disseminate information as quickly and efficiently as possible despite losing common systems such as email and work phones. In a disaster event, desicions are made using the most current information but that may not be complete or accurate if communications are poor.
Ensure you have a complete picture
All business services should be documented and the impact of the loss of those services should be clearly labelled in order to help with decision making and prioritizing as service restoration efforts begin.
The org structure
Roles and responsibilities can become blurred during a critical incident. In many cases key staff members are not available or infrastructure services that enable staff to communicate are hindered. Clear roles will facilitate the decision making process when the organizational hierarchy is not clear or complete.
Technical Service Restoration Tools
All the information necessary to restore, re-build or migrate services should be available in some form regardless of the state of business systems. This information may include;
- Key technical contacts names and numbers
- Technical documentation including hardware and software necessary to view the documentation
- Passwords and pin numbers
- Access (or instructions for access) to physical premises such as data centers and communications rooms
- The process required to restore software and data
- Telecommunications capability if remote connections or wide area connections are required as part of the service restoration
- Alternate infrastructure availability such as laptops, computers, servers, monitoring stations and any other tools
- Procurement process for the purchase of emergency gear such as computers and cables if a makeshift computer room is required
Ongoing and Regular Testing
Business changes all the time and the plan needs to keep up. Organizational structure, technology, key staff, contact numbers and core services change over time. The business continuity and disaster recovery plan should always reflect the current business.
Consider the Details
The most pressing problems in a disaster scenario will likely be what was NOT considered. As an example, consider the position of your elevators in a flood scenario. If they are parked in the basement then they will get flooded, if they are parked in the top floor then it is likely that they will remain dry. These small overshights can delay the re-establishment of normal operations. Moral of the story is that small details are important.