Business continuity is the ability of an organization to maintain essential functions during, as well as after, a disaster has occurred. Business continuity planning establishes risk management processes and procedures that aim to prevent interruptions to mission-critical services, and re-establish full function to the organization as quickly and smoothly as possible.
The most basic business continuity requirement is to keep essential functions up and running during a disaster and to recover with as little downtime as possible. A business continuity plan considers various unpredictable events, such as natural disasters, fires, disease outbreaks, cyberattacks and other external threats.
Business continuity is important for organizations of any size, but it may not be practical for any but the largest enterprises to maintain all functions for the duration of a disaster. According to many experts, the first step in business continuity planning is deciding which of an organization's functions are essential and allocating the available budget accordingly. Once crucial components have been identified, failover mechanisms can be put in place.
Technologies such as disk mirroring allow an organization to maintain up-to-date copies of data in geographically dispersed locations. This enables data access to continue uninterrupted if one location is disabled.
Key elements: Resilience, recovery and contingency
Conducting a business impact analysis (BIA) can reveal any possible weaknesses, as well as the impact of a disaster on various departments. The BIA report informs an organization of the most crucial functions and systems to be prioritized in a business continuity plan.
A business continuity plan has three key elements: Resilience, recovery and contingency.
- A company can increase resilience by designing critical functions and infrastructures with various disaster possibilities in mind; this can include staffing rotations, data redundancy and maintaining a surplus of capacity. Ensuring resiliency against different scenarios can also help businesses maintain essential services on location and off-site without interruption.
- Rapid recovery to restore business functions after a disaster is crucial. Setting recovery time objectives for different systems, networks or applications can help prioritize which elements need to be recovered first. Other recovery strategies include resource inventories, agreements with third parties to take on company activity and using converted spaces for mission-critical functions.
- A contingency plan has procedures in place for a variety of external scenarios and can include a chain of command that distributes responsibilities within the organization. These responsibilities can include hardware replacement, leasing emergency office spaces, damage assessment and contracting third-party vendors for assistance.
Business continuity standards
Table 1 lists the standards in the ISO 223XX Series that apply to business continuity and related activities. The ISO 22398 and 22399 standards are also worth a look.
Table 2 lists the Business Continuity Institute's Good Practice Guidelines. The guidelines provide a comprehensive foundation for understanding the business continuity process, and they map closely to the ISO 22301 standard.
Table 3 provides a partial listing of standards, regulations and good practices developed in the U.S. by several different organizations such as ASIS International, the National Fire Protection Association (NFPA), the Federal Financial Institutions Examination Council (FFIEC), the Information Systems Audit and Control Association (ISACA), the Financial Industry Regulatory Authority (FINRA), the Federal Emergency Management Agency (FEMA) and the National Institute for Standards and Technology (NIST).
Business continuity vs. disaster recovery
Similar to a business continuity plan, disaster recovery planning specifies an organization's planned strategies for post-failure procedures. However, a disaster recovery plan is just a subset of business continuity planning.
Disaster recovery is mainly data focused, concentrating on storing data in a way that can be more easily accessed following a disaster. Business continuity takes this into account, but also focuses on the risk management, oversight and planning an organization needs to stay operational during a disruption.