Defining BC/DR strategies and responses

Paul Kirvan shares tips on how to translate business continuity and disaster recovery strategies into specific action steps.

The process of defining business continuity and disaster recovery strategies and responses helps you determine...

how you will respond if a potentially disruptive incident occurs. In a normal sequence of BC/DR planning activities, strategy and response definition occurs after the business impact analysis and risk assessment phases, and precedes the BC/DR plan development phase.

The following graphic depicts the process flow for this activity. In this tip, we offer examples of typical strategies and responses and then demonstrate how you can translate a strategy into specific action steps (responses).

BC/DR strategy and response process
BC/DR strategy and response process

Results from the business impact analysis (BIA) help you focus your efforts on the business processes and systems that have the greatest potential to damage your business if they are disrupted or destroyed. Results from the risk assessment help you identify situation(s) that have the greatest likelihood of occurring and impacting your organization. Determining BC/DR strategies and responses is the process for defining the actions you will take if specific events occur. Results of this step are used in the BC/DR plan development process.

Examples of strategies

Depending on the type of plan(s) you are preparing, your strategies may be similar or totally different. Table 1 examines strategies for both BC and DR plans.

Table 1 – Examples of BC/DR strategies

Strategy types Comments
Business continuity strategies  
  1. Evacuate existing building and relocate to a pre-arranged alternate work area
Assumes the alternate site is ready for occupancy, or can be made ready quickly, based on recovery time objectives; ensure that transportation is available
  1. Work from home
Ensure that staff have broadband and Internet access at home; ensure there are sufficient network access points to accommodate the increase in usage
  1. Move selected staff to a hot site
Assumes a hot site program is in place and there is space available at the site for staff
  1. Move alternate staff into leadership roles in the absence of key leaders; ensure they have been cross-trained
Succession planning is a key strategy in business continuity; it ensures that loss of a senior manager or someone with special expertise can be replaced with minimal disruption to the business
  1. Move staff into local or nearby hotels and set up temporary work space
Make sure this kind of arrangement is set up with hotels in advance, especially in case of an incident that disrupts many other businesses in the same area
  1. Relocate staff to another company office
Organizations with multiple offices that have access to the company network as well as work space can be leveraged to temporarily house employees
Disaster recovery strategies  
  1. Activate backup and recovery facilities in secondary company data center; transfer production to that site
Assumes the secondary data center has sufficient resources, e.g., storage capacity, server hardware, to accommodate additional processing requirements
  1. Activate recovery resources in a cloud-based service; fail over critical systems to that site and resume operations
Ensure that your contract for this service has the ability to "flex" as your needs dictate; ensure that security of your data can be maintained
  1. Activate backup systems and data at a hot site; transfer operations to that site
Be sure you know what resources you have available at the hot site, what the declaration rules and fees are, and what your options are if multiple declarations are occurring at the same time
  1. Replace damaged equipment with spare components
As much as possible, have available spare systems, circuit boards and power supplies; backup disks with system software; and hard and soft copies of critical documentation
  1. Recover virtual machines at an alternate site; assumes VMs have been updated to be current with production VMs
Create VM clones at an alternate site, keep them updated, and if needed they can quickly become production VMs
  1. Activate alternate network routes and re-route data and voice traffic away from the failed network service
Ensure network infrastructures have diverse routing of local access channels, as well as diverse routing of high-capacity circuits

Turning strategies into responses

Strategy definition is a critical part of the BC/DR process, because your strategies are implemented in your BC/DR plans. Whatever strategy(ies) you select, each is turned into a logical series of detailed actions (responses) that help you achieve your goal: recovery and resumption of your business.

Let's examine how this might work. Suppose we decide that in response to a specific incident, e.g., a severe winter storm that makes it impossible to get into work, your strategy is to have staff work from home. Table 2 provides a suggested series of response steps to take to make this happen.

Table 2 – Translating BC strategies into responses

Strategy and BC plan response steps
Work from home in response to severe winter storm
  1. Monitor weather reports regarding impending severe winter storm
  2. Monitor the status of public transportation systems and highway conditions
  3. Emergency response team conducts periodic conference calls to determine whether conditions are such that the staff should remain home
  4. Prepare message to be delivered to all staff that they should work from home and call in to their supervisors as soon as possible
  5. Assuming conditions are getting worse and travel will be risky, emergency response team decides that staff should work from home
  6. Emergency response team contacts IT staff to contract network service provider(s) and ensure that there are sufficient resources available for staff to work from home and remotely access the company's internal networks
  7. Assuming resources are available (or can be made available quickly), emergency response team decides to order staff to work from home
  8. Emergency response team initiates broadcast message to all staff advising them to work from home and to contact their supervisors
  9. Emergency response team contacts local radio and television stations to broadcast the stay-at-home message
  10. Emergency response teams post a similar message on selected social websites, such as Facebook and Twitter
  11. Emergency response teams monitor progress of the storm and send regular messages to all staff as well as other key organizations of the situation

When defining BC/DR strategies, be sure that your strategies are designed to address the business and operational issues and the risks and threats you identified in your BIAs and RAs, respectively. When you exercise your plans, be sure to confirm that they validate your strategies and responses. And when conducting annual or semi-annual reviews and updates to your plans, be sure to re-confirm that your strategies and responses are still appropriate for the business and operational risks you previously identified.

About the author:
Paul Kirvan, CISA, FBCI, works as an independent business continuity consultant and auditor, and is secretary of the U.S. chapter of the Business Continuity Institute and member of the BCI Global Membership Council. He can be reached at [email protected].

Dig Deeper on Disaster recovery planning - management