The process of defining business continuity and disaster recovery strategies and responses helps you determine how you will respond if a potentially disruptive incident occurs. In a normal sequence of BC/DR planning activities, strategy and response definition occurs after the business impact analysis and risk assessment phases, and precedes the BC/DR plan development phase.
The following graphic depicts the process flow for this activity. In this tip, we offer examples of typical strategies and responses and then demonstrate how you can translate a strategy into specific action steps (responses).
Results from the business impact analysis (BIA) help you focus your efforts on the business processes and systems that have the greatest potential to damage your business if they are disrupted or destroyed. Results from the risk assessment help you identify situation(s) that have the greatest likelihood of occurring and impacting your organization. Determining BC/DR strategies and responses is the process for defining the actions you will take if specific events occur. Results of this step are used in the BC/DR plan development process.
Examples of strategies
Depending on the type of plan(s) you are preparing, your strategies may be similar or totally different. Table 1 examines strategies for both BC and DR plans.
Table 1 – Examples of BC/DR strategies
|Business continuity strategies|
||Assumes the alternate site is ready for occupancy, or can be made ready quickly, based on recovery time objectives; ensure that transportation is available|
||Ensure that staff have broadband and Internet access at home; ensure there are sufficient network access points to accommodate the increase in usage|
||Assumes a hot site program is in place and there is space available at the site for staff|
||Succession planning is a key strategy in business continuity; it ensures that loss of a senior manager or someone with special expertise can be replaced with minimal disruption to the business|
||Make sure this kind of arrangement is set up with hotels in advance, especially in case of an incident that disrupts many other businesses in the same area|
||Organizations with multiple offices that have access to the company network as well as work space can be leveraged to temporarily house employees|
|Disaster recovery strategies|
||Assumes the secondary data center has sufficient resources, e.g., storage capacity, server hardware, to accommodate additional processing requirements|
||Ensure that your contract for this service has the ability to "flex" as your needs dictate; ensure that security of your data can be maintained|
||Be sure you know what resources you have available at the hot site, what the declaration rules and fees are, and what your options are if multiple declarations are occurring at the same time|
||As much as possible, have available spare systems, circuit boards and power supplies; backup disks with system software; and hard and soft copies of critical documentation|
||Create VM clones at an alternate site, keep them updated, and if needed they can quickly become production VMs|
||Ensure network infrastructures have diverse routing of local access channels, as well as diverse routing of high-capacity circuits|
Turning strategies into responses
Strategy definition is a critical part of the BC/DR process, because your strategies are implemented in your BC/DR plans. Whatever strategy(ies) you select, each is turned into a logical series of detailed actions (responses) that help you achieve your goal: recovery and resumption of your business.
Let's examine how this might work. Suppose we decide that in response to a specific incident, e.g., a severe winter storm that makes it impossible to get into work, your strategy is to have staff work from home. Table 2 provides a suggested series of response steps to take to make this happen.
Table 2 – Translating BC strategies into responses
|Strategy and BC plan response steps|
|Work from home in response to severe winter storm|
When defining BC/DR strategies, be sure that your strategies are designed to address the business and operational issues and the risks and threats you identified in your BIAs and RAs, respectively. When you exercise your plans, be sure to confirm that they validate your strategies and responses. And when conducting annual or semi-annual reviews and updates to your plans, be sure to re-confirm that your strategies and responses are still appropriate for the business and operational risks you previously identified.
About the author:
Paul Kirvan, CISA, FBCI, works as an independent business continuity consultant and auditor, and is secretary of the U.S. chapter of the Business Continuity Institute and member of the BCI Global Membership Council. He can be reached at firstname.lastname@example.org.