BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Business continuity (BC) and disaster recovery (DR) are closely related practices that support an organization's ability to remain operational after an adverse event. The goal of BC/DR is to limit risk and get an organization running as close to normal as possible after an unexpected interruption. As cyber threats increase and the tolerance for downtime decreases, business continuity and disaster recovery gain importance. These practices enable an organization to get back on its feet after problems occur, reduce the risk of data loss and reputational harm, and improve operations while decreasing the chance of emergencies. The trend of combining business continuity and disaster recovery into a single term (BCDR) is the result of a growing recognition that business and technology executives need to collaborate closely when planning for incident responses instead of developing schemes in isolation.
BC/DR is a rapidly expanding market for managed service providers (MSPs) because backup touches so many of their customers' business concerns. Another developing concern is around compliance. The BC/DR market's growth can be tied to the current state of the small and medium-sized business (SMB) segment, which makes up the bulk of MSPs' customer focus. SMBs are also bound by many of the regulatory requirements that are imposed on enterprise-size organizations, so they must meet those same compliance demands.
BCDR professionals can help an organization and its employees achieve resiliency. Developing a strategy is a complex process that requires research, including conducting a business impact analysis (BIA) and risk analysis, as well as developing BCDR plans, tests, exercises and training.
What's the difference between business continuity and disaster recovery?
Business continuity is more proactive and generally refers to the processes and procedures an organization must implement to ensure that mission-critical functions can continue during and after a disaster. BC involves more comprehensive planning geared toward long-term challenges to an organization's success.
Disaster recovery is more reactive and comprises specific steps an organization must take to resume operations following an incident. Disaster recovery actions take place after the incident, and response times can range from seconds to days.
BC typically focuses on the organization as a whole, whereas DR zeroes in on the technology infrastructure. Disaster recovery is a piece of business continuity planning and concentrates on accessing data easily following a disaster. BC includes this element, but also takes into account risk management and other planning an organization needs to stay afloat during an event.
There are similarities between business continuity and disaster recovery. They both consider various unplanned events, from cyberattacks to human error to a natural disaster. They also have the goal of getting the business running as close to normal as possible, especially concerning mission-critical applications. In many cases, the same team will be involved with both BC and DR within an organization.
Importance of BCDR
As cyberthreats increase and the tolerance for downtime decreases, business continuity and disaster recovery gain importance. These practices enable an organization to get back on its feet after problems occur, reduce the risk of data loss and reputational harm, and improve operations while decreasing the chance of emergencies.
BCDR professionals can help an organization and its employees achieve resiliency. Developing a strategy is a complex process that requires research and analysis, including conducting a business impact analysis (BIA) and a risk analysis, and developing BCDR plans, tests, exercises and training.
Plans also provide information such as employee contact lists, emergency contact lists, vendor lists, instructions for performing tests, equipment lists, and technical diagrams of systems and networks.
BCDR expert Paul Kirvan notes several other reasons for the importance of business continuity and disaster recovery planning:
- Results of the BIA identify opportunities for process improvement and ways the organization can use technology better;
- Information in the plan serves as an alternate source of documentation;
- The plan provides a single source of key contact information; and
- The plan serves as a reference document for use in product planning and design, service design and delivery, and other activities.
An organization should strive for continual improvement, driven by the BCDR process.
What you need in a business continuity and disaster recovery plan
BC and DR plans have updated contact lists, of both employees and external stakeholders, and specific procedures for how to respond to particular situations.
Specifically, according to Kirvan, a business continuity plan (BCP) contains contact information; change management procedures; guidelines on how and when to use the plan; step-by-step procedures; and a schedule for reviewing, testing and updating. A disaster recovery plan (DRP) features a summary of key action steps and contact information, the defined responsibilities of the DR team, guidelines for when to use the plan, the DR policy statement, plan goals, incident response and recovery steps, authentication tools, geographical risks and plan history.
Good business continuity and disaster recovery plans are clear about the varying levels of risks to the organization; provide well-defined and actionable steps for resilience and recovery; protect the organization's employees, facilities and brand; include a communications plan; and are comprehensive in detailing actions from beginning to end.
SearchDisasterRecovery's free, downloadable IT DR template will help facilitate the initiation and completion of an IT DR plan.
A BCDR policy is an important initial step. The policy sets the foundation for the process and typically covers the scope of the business continuity management system, which employees are responsible for it, and the activities performed such as plan development and business impact analysis. The policy aspect is often overlooked, but it is an important business continuity auditing item.
Developing the BCP and disaster recovery plan typically starts by gathering BCDR team members and performing a risk analysis and BIA. The organization identifies the most critical aspects of the business, and how quickly and to what extent they need to be running after an incident. After the organization writes the step-by-step procedures, the documents should be consistently tested, reviewed and updated.
While certain aspects of the process will involve select members of the organization, it's important that everyone understand the plan and is included at some point. A test of the BCDR plan, for example, is a good way to incorporate the entire organization.
The role of risk analysis, business impact analysis and BCDR strategies
Determining internal and external risks is important to the business continuity and disaster recovery process. The risk analysis identifies risks and the likelihood they will occur, as well as the potential damage they could cause. This data is used in conjunction with results of the business impact analysis.
The BIA identifies the mission-critical functions an organization must maintain or restore following an incident and the resources needed to support those functions. It's important to gain management support in the undertaking of a BIA, given the intensity of the process. The BIA is a way for an organization to learn about itself and details opportunities for improvement.
An organization uses risk analysis and business impact analysis data to determine business continuity and disaster recovery strategies and the appropriate responses. Each strategy is turned into a series of actions that will help achieve operational recovery, such as data replication, failing over to a cloud-based service, activating alternate network routes and working remotely.
Change management and BCDR testing
Change management oversees adjustments to systems, networks, infrastructure and documents. It addresses similar situations as BCDR planning and testing, so an organization may decide to include business continuity and disaster recovery in the change management process.
The change management process contains six major activities, according to Kirvan:
- Identify a potential change;
- analyze the change request;
- evaluate the change;
- plan the change;
- implement the change; and
- review and close out the change process.
Maintenance is an important element. An organization improves its resilience when it updates its BC and DR plans, and then tests them continually.
However, testing requires time, funding, management support and employee participation. The testing process also includes pretest planning, training test participants and reporting on the test.
SearchDisasterRecovery's free, downloadable business continuity testing template assist organizations in their BC planning.
Tests can range from simple to complex. A plan review involves a detailed discussion and examination of the document, with an eye on what's missing or problematic. A tabletop test brings together participants to walk through the plan steps, also looking for missing information and errors. A simulation test marks a full run-through of the plan, using backup systems and recovery sites.
Business continuity and disaster recovery planning trends, standards and vendors
BCDR is not just for enterprises anymore. Using the cloud -- disaster recovery as a service (DRaaS) -- makes DR more accessible for smaller organizations. A strong DRaaS vendor can provide infrastructure and expertise on BCDR planning. An organization must be careful when selecting its DRaaS provider to ensure it meets its needs.
Standards continue to be an emerging trend, with many developed in recent years from such organizations as the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC):
- ISO 22301:2012: Business Continuity Management Systems -- Requirements
- ISO 22313:2012: Business Continuity Management Systems -- Guidance
- ISO 22320:2011: Emergency management -- Requirements for incident response
- ISO/IEC 27031:2011: Information technology -- Security techniques -- Guidelines for information and communication technology readiness for business continuity
- ISO/IEC 24762:2008: Information technology -- Security techniques -- Guidelines for information and communications technology disaster recovery services
- ISO 31000: Risk management
- Financial Industry Regulatory Authority 4370: Business continuity for banking and finance
- National Fire Protection Association 1600: Emergency management and business continuity
- National Institute of Standards and Technology Special Publication 800-34: IT contingency planning
- American Society for Industrial Security (ASIS) SPC.1-2009: Organizational resilience guidance
- ASIS SPC.4-2012: Organizational resilience management systems
BCDR software also helps an organization build its business continuity and disaster recovery plans, by facilitating business impact analyses or providing plan templates. Some products have an automated emergency notification feature, while others enable training.
Key vendors in the market include eBRP Solutions Network, Everbridge, IBM, Strategic BCP and Sungard Availability Services. Prices range from hundreds of dollars to hundreds of thousands of dollars.
Another option is to outsource the organization's BCDR needs to a consulting firm that can provide assessments, plan development and maintenance, and training. It's incumbent upon the business to analyze its needs before selecting a BCDR firm, nailing down such information as what it wants to outsource, what services it expects of the vendor, the risks of an outsourcing agreement and how much it plans to spend.