Your systems are up and running. Your organization is operating as usual, and all is as it should be. Then, suddenly, it’s not. A flood, an earthquake, a pandemic, or a fire threatens your ability to keep your organization operating. Systems are offline, critical business processes have stalled. You’re frantically trying to determine what damage has been done, which employees have been affected, and how long until you can recover. Without proper planning and testing, it is difficult to know the answers to these questions.
The implications of an unplanned-and-unprepared-for event can be devastating to a company, as well as the customers it serves. The only way to mitigate the risks is through comprehensive planning and testing.
What is business continuity?
There are many ways to define business continuity (BC), and there is a great degree of variance around how organizations define it. However, what’s important to know is that BC refers to the recovery of critical business functions.
According to The Definitive Handbook of Business Continuity Management, BC is defined as “A proactive process which identifies the key functions of an organization and the likely threats to those functions; from this information plans and procedures that ensure key functions can continue whatever the circumstances, can be developed.”
What is disaster recovery?
Like BC, disaster recovery (DR) can be defined in a multitude of ways. The common thread among all definitions is that DR focuses on the recovery of critical IT systems.
DisasterRecovery.org, a website that provides guidance and information on DR and BC, defines DR as, “The process an organization uses to recover access to their software, data, and/or hardware that are needed to resume the performance of normal, critical business functions after the event of either a natural disaster or disaster caused by humans.”
What is the difference between the two?
While there are numerous differences between BC and DR, these points sum them up nicely:
- BC is about the survival of critical business functions, whereas DR is about the survival of critical IT systems
- Since many critical business functions rely on IT systems, DR is frequently seen as a subset of BC
- BC is higher level and less technical, while DR is lower level and more technical
What are the examples of each?
XYZ, Inc. is a manufacturer of wind turbines located in the San Francisco Bay area. Since they are reliant on suppliers to manufacture some of the parts required to construct the turbines, XYZ has identified supply chain management as a critical business process.
Let’s assume one of XYZ’s critical suppliers on the east coast has been impacted by a hurricane that has caused a shutdown of manufacturing. XYZ only has about one week of parts on hand, and the shutdown is expected to last several weeks. What should XYZ do? This is an example of a BC-only scenario. Critical systems are up and running, but the process will shortly be non-operational.
Now, let’s say an earthquake strikes San Francisco, and the internet is unavailable due to massive power outages. In this case, since orders to suppliers could not go out, both BC and DR come into play.
Not every event requires both BC and DR. In some cases, it could be one or the other.
Do organizations really need BC and DR programs? Can’t they just adjust on the fly?
The fact is, no matter how nimble your organization may be, without a robust BC/DR program, you won’t be able to tell if you have sufficient resources, personnel, and capital to adjust for unplanned events. Invariably, some events will occur for which you are unprepared. It may be three months from now or even 10 years from now, but it will happen.
Every organization has critical functions and systems that must be protected from unplanned events, whether natural disasters, human-caused disasters, or even criminal activity. Regardless of what occurs, a comprehensive BC and DR plan will enable an organization to address these situations immediately and effectively.
- Critical systems and functions that operate your business may go unnoticed
- Recovery takes much longer and is more expensive, maybe more time and money than you can afford
- Your organization, your employees, and your customers are at undue risk
- Your organization’s reputation is on the line
Are there other factors to consider?
Depending on your industry, you may have a regulatory requirement to implement a BC/DR program. Regulations like FedRAMP, HIPAA, FDA, EPA, Privacy Shield, EU Annex 11, SOX, PCI DSS, and GDPR, all either explicitly or implicitly require compliant organizations to have BC/DR programs.
Also, a robust BC/DR program is required if your organization is seeking compliance with quality standards like ISO 9000/9001, HITRUST, and AICPA SOC2.
The bottom line is that your customers and clients expect that your organization will continue to provide products and services to them in a time of emergency. Without a BC/DR program, you cannot give that assurance to them.
What encompasses a robust BC/DR program?
Effective business continuity and disaster recovery programs include the following qualities:
- A comprehensive, ongoing process of developing, testing, and maintaining a BC plan (BCP) and a DR plan (DRP). These plans are living documents, continually updated and refined to ensure they are kept accurate as your business, as well as the world around it, matures and changes. Outdated plans can be more dangerous than none at all, as they will give obsolete information at a time of great need.
- Sponsorship and approval from senior/executive management. These programs affect high-visibility core business functions and systems and should receive a high degree of attention.
- Integration with ongoing regulatory compliance and quality assurance activities.
- BC/DR plans must be periodically tested to make sure they are effective in addressing threats. The results of that testing should be used to update the plans as necessary.
- The entire organization should remain vigilant for emerging threats that have the potential to impact operations or systems. The BC/DR plans should be updated to encompass emerging threats.
Key take-home points on BC and DR
- A wide array of threats, known and unknown, exist in the world. Without analyzing and preparing for these threats, an organization is unprepared to deal with them effectively if they become a reality.
- Everyone in an organization must recognize the value of protecting its business, employees, and customers. This must start at the senior/executive management level and roll down.
- Compliance with regulatory mandates and international standards requires a strong BC/DR program.
- BC/DR are full lifecycle programs that result in the creation of a comprehensive set of plans, including a BCP and a DRP. These plans must be reviewed, tested, and maintained to remain accurate and timely.
If you find yourself in a position without business continuity and disaster recovery plans or needing to revise them, we can help you define, develop, institute, and refine a BC/DR plan that can help you prepare for disasters and keep operations running smoothly should they occur. For more information, please reach out to me.