Developing a business continuity and disaster recovery strategy is rarely simple. The process usually involves an extensive amount of information gathering, combined with piecing together products and services that can collectively achieve a thorough and resilient DR strategy.
The information-gathering phase is one of the most important parts of the BC/DR planning process. While it may be tempting to focus the planning efforts around the deployment of the required IT infrastructure, BC/DR planning typically requires a much more business-centric approach.
One of the first steps that an organization should take as it creates a BC/DR plan is to perform a comprehensive risk analysis. After all, it's impossible to create an adequate BC plan until the risks that could potentially jeopardize the continuity of business have been identified.
Although an organization's IT staff may have a good idea of potential risks, it's common for larger organizations to outsource the risk analysis study to a consulting or auditing firm that specializes in providing BC planning services.
Another key step in incorporating BC into a DR strategy is to assemble a business impact analysis (BIA). This report places a monetary value on all the organization's IT workloads. In doing so, it determines which workloads are critical to ongoing operations. Additionally, such a report commonly identifies the cost per minute that the company would incur in the event of a workload outage.
It's important to have a BIA included in a DR strategy, as this report helps the IT department prioritize its efforts. BC/DR can be expensive. There may not be enough funding or staffing resources available to provide DR capabilities for every workload the organization is running. Identifying the cost of an outage on a workload-by-workload basis helps the IT department determine the workloads that should take priority. Similarly, knowing how much money an outage could potentially cost the organization can help those who are responsible for budgeting to know how much to spend on the organization's BC efforts.
Even if an organization has the resources necessary to make its entire IT footprint fully redundant, implementing a BC/DR plan takes time. The organization remains vulnerable to an outage until the plan has been fully implemented. Knowing which workloads are most important to maintaining normal business operations can help the IT department determine where to begin.
Although the IT department may have a sense of which workloads are the most important to the business, it typically doesn't have a great deal of insight into the inner workings of the business. That being the case, it's unlikely that the IT department will have the information or the background that's required in the production of a BIA. Such a report will almost always need to be prepared either by the organization's finance department or by an outside accounting firm.
Common approaches to creating a BC/DR strategy
There are four main approaches that organizations commonly take to ensure BC and tighten up their DR strategy. Note that there are endless variations to these approaches.
- The best in class. By taking this approach, an organization uses a mixture of BC firms and DR providers and does it in a way that optimally achieves the organization's set objectives. An organization might, for example, use one company to compile a risk analysis report and a different firm to create a business impact report.
The idea behind this approach is that an accounting firm is probably best suited to create the business impact report, while an IT auditing firm is probably going to do the best job of identifying the risks that currently exist. Additional providers might also be used on an as-needed basis. In some cases, there might be an overlap in the various firms' areas of expertise, as each typically has its own core competency.
The best-in-class approach is likely to be the most expensive of the options discussed here because it relies on multiple experts. Even so, the cost may be justified since the end result should be a BC/DR recovery plan that has been thoroughly vetted by multiple experts.
- A managed partnership. With this option, an organization uses a BC service that has partnered with a managed service provider (MSP) for DR. This approach is likely to be less expensive than the best-in-class approach because fewer experts are involved, but it should still deliver a workable option.
In this approach, a firm that specializes in BC assesses the organization's needs and develops a strategy in conjunction with a partner DR organization. One of the primary advantages to using this approach is its efficiency. Because the BC service is used to working with its partner organization, developing an overall DR strategy will probably be quicker and easier than the previous approach, which requires a variety of unrelated firms to work with one another.
- A single provider. A third approach involves using a BC MSP that develops an offering that's based on DR as a service. This approach tends to be even less expensive than a managed partnership because all the expertise is provided by a single firm. Because this firm probably relies on a small number of DR services, it should be well versed in the intricacies involved in using those services and, therefore, be able to provide a well-thought-out strategy, without any surprises.
- DIY DR. With this approach, the organization's own IT staff does all the planning and then builds a DR offering that's based around a public cloud provider, such as Microsoft Azure or AWS.
This approach is by far the least expensive of the four, but it does have at least one significant disadvantage: The project's success is completely dependent upon the IT staff's expertise. While an organization's IT staff is presumably competent, they may or may not have experience with developing a DR strategy. Additionally, firms that specialize in BC almost always have staff members who have a business background. Conversely, an organization's internal IT department may have all the necessary technical competencies but lack any sort of meaningful business background. This would make it difficult for the IT staff to understand the organization's core business processes that must be addressed by the BC approach.
It's evident that a tremendous amount of work goes into the BC/DR planning process. Although an organization can ultimately implement DR capabilities in whatever way makes the most sense for it, most organizations tend to create a strategy that's based on one of the four approaches examined here.