By Paul Kirvan, CISA, CISSP, FBCI, CBCP
When developing a disaster recovery (DR) and business continuity (BC) budget, the following assumptions and considerations need to be addressed:
- No disaster recovery and business continuity activities exist.
- Disaster recovery plans are in place for IT functions only.
- Disaster recovery plans are in place for business functions only.
- Some departments/divisions have business continuity plans.
- Management support for BC/DR activities does/doesn't exist.
- The department is currently conducting business impact analyses (BIAs) and/or risk assessments.
- The department is currently developing and implementing BC/DR plans that meet the needs of the organization.
- An emergency operations center does/doesn't exist.
- BC/DR policies and procedures are in place and approved by senior management
- A crisis management process and plan does/doesn't exist.
- An enterprise risk assessment for the board and/or senior management has been/has not been completed.
Budget line items checklist
 |
||||
|
|
|||
|
||||
The following disaster recovery checklist provides a selection of typical disaster recovery and business continuity budget line items. Clearly some of the items on the table will not apply to every organization. Smaller organizations may not have the same types of budget line items in their organization as a larger enterprise. Still, this disaster recovery checklist will give you a good idea of typical budget line items to include in your disaster recovery budget regardless of the size of your company.
In addition, it may be useful to group various items under specific headings, such as disaster recovery/business continuity program office or program management.
|
Budget Item |
Jan. |
Feb. |
March |
April |
|
Salaries -- Full-Time |
|
|
|
|
|
Salaries -- Part-Time |
|
|
|
|
|
Consultants/Contractors (Business Focus) |
|
|
|
|
|
Consultants/Contractors (IT Focus) |
|
|
|
|
|
Program Office |
|
|
|
|
|
Hot Site/Cold Site |
|
|
|
|
|
Alternate Office Space |
|
|
|
|
|
Internal Recovery Site(s) |
|
|
|
|
|
Data Backup and Recovery |
|
|
|
|
|
Risk Analyses |
|
|
|
|
|
Business Impact Assessments |
|
|
|
|
|
Plan Development/Updating |
|
|
|
|
|
Plan Exercising |
|
|
|
|
|
Training/Awareness |
|
|
|
|
|
Notification/Alerting Systems |
|
|
|
|
|
Emergency Communications |
|
|
|
|
|
Mobile Recovery |
|
|
|
|
|
DR Technology |
|
|
|
|
|
Emergency Response |
|
|
|
|
|
Emergency Operations Center |
|
|
|
|
|
Emergency Supplies (disaster kits) |
|
|
|
|
|
Incident Management |
|
|
|
|
|
Auditing/Compliance/Maintenance |
|
|
|
|
|
Records Management |
|
|
|
|
|
Staff Training and Education |
|
|
|
|
|
Staff Attendance at Conferences |
|
|
|
|
|
Publications/Subscriptions |
|
|
|
|
|
Professional Memberships |
|
|
|
|
|
Professional Certifications |
|
|
|
|
|
Webinars/Podcasts |
|
|
|
|
|
BC/DR Software |
|
|
|
|
|
Emergency Disaster Funds |
|
|
|
|
|
Office Space |
|
|
|
|
Remember that the disaster recovery budget process, as well as the entire disaster recovery and business continuity organization in your firm, exists to accomplish several key activities.
Make sure you factor in the following key activities in the disaster recovery checklist below:
- Develop and implement DR/BC plans that facilitate the timely recovery of critical business functions and IT facilities following a major disruption or disaster.
- Develop policies, procedures and compliance activities to address all BC/DR and security requirements.
- Develop, document, exercise and maintain plans to ensure survival of the business and minimize the negative impact of business and technology disruptions.
- Identify and assess potential risks to the enterprise and its operations, technology infrastructure, business processes and people.
- Identify and assess potential vulnerabilities to the enterprise and its operations, technology infrastructure, business processes and people.
- Design and deploy cost-effective emergency mechanisms that can quickly recover business and technology operations.
- Develop and deploy training and awareness programs so that all employees are fully aware of their responsibilities and commitments.
- Establish and maintain liaison with external parties such as customers, vendors, insurers, emergency first responders, regulators, financial institutions, etc.
- If external recovery facilities (e.g., hot sites) are used, ensure they are secure and that systems are prepared for emergency activation.
- Develop a capability to optimize media relations so as to minimize adverse publicity and negative business implications.
Click here to go to the next part of our guide and download our free IT disaster recovery planning budget template.
This was first published in March 2010