When discussing disaster recovery planning (DRP), I mentioned about its being a part of the larger and extensive practice called the ‘business continuity plan’. So let’s discuss this subject in a little more detail.
Business continuity planning (BCP) is ‘planning which identifies the organization’s exposure to internal and external threats and provides effective prevention and recovery for its business, whilst maintaining the competitive advantage and the value system integrity. The intended effect of BCP is to ensure business continuity, the ongoing state in which the organization’s business is conducted.
In plain language, BCP is working out how to stay in business in the event of disaster. Typical incidents include local events like building fires, regional incidents like earthquakes or floods, and may include any event that could potentially cause loss to business.
It may also include any event that results in damage to the aspects that business is dependent on, such as loss of source of supply, loss of critical infrastructure (a major piece of machinery or computing/ network resource), or theft or vandalism. As such, risk management must be incorporated as part of BCP.
DRP versus BCP
These terms are often used interchangeably and though they address the same issue, their coverage is different. DRP refers to a process by which you are able to restore your work environment, i.e. data and the computing infrastructure, affected by any disaster.
BCP, on the other hand, suggests a more comprehensive approach to making sure you can keep making money and run business efficiently in the face of problems involving illness or departure of key staffers, supply chain partner problems or other challenges that businesses face from time to time. BCP, therefore, addresses the larger concern of business and ensure continuity of company’s business even when faced with grave situations.
Role of the CIO
It is here that a CIO can show the business orientation and lay emphasis on BCP rather than limiting himself to DRP. When talking of disaster recovery our focus is on ensuring recovery of data and the computing infrastructure so that the business can function. We forget that various business processes that have been affected may need their own time to recover the lost work and get back to normal functioning.
Many a time when there is a disruption and the IT department helps in rolling forward the database to the last position, business struggles for a couple of days more before getting back to normalcy. The business executives sit with the IT staff to reconcile transactions lost during the disruption phase, to cover of the backlog of transactions that might have taken place during this period but not entered (in the systems), or to restart with the right voucher/ document number.
In many cases, the users are not aware how to run their processes when any such disruption occurs. Some organizations have alternate systems which permit simple invoicing, issue of material, or recording production, etc. so that the immediate work does not suffer and then help transfer this data to the main application when the system is recovered.
Focus on the nitty-gritty
There are a few other factors that need clarity, for example, how to assess a failure and when to declare a disaster, how should the business function during the period of disruption, who would lead and manage the scene during this period and how to recover and regroup to get back to a steady state once the failure has been addressed?
BCP policy should clearly define when to inform the management, when to communicate to the working staff and also the standard operating procedure for the people / areas affected. This, of course, should be preceded by a business impact analysis and measures to ensure that the loss to the business is minimal. Post any disaster, the CIO should help assess the loss if any that the business might have suffered due to the disruption.
BCP, therefore, has a significant business element. It takes a holistic view of business to ensure that the company continues to function and stays competitive and rises quickly with minimal damage from any unforeseen and grave event that threatens to ground the organization.