Business continuity planning (BCP) is ‘planning which identifies the organization’s exposure to internal and external threats and provides effective prevention and recovery for its business, whilst maintaining the competitive advantage and the value system integrity. The intended effect of BCP is to ensure business continuity, the ongoing state in which the organization’s business is conducted.

In plain language, BCP is working out how to stay in business in the event of disaster. Typical incidents include local events like building fires, regional incidents like earthquakes or floods, and may include any event that could potentially cause loss to business.

It may also include any event that results in damage to the aspects that business is dependent on, such as loss of source of supply, loss of critical infrastructure (a major piece of machinery or computing/ network resource), or theft or vandalism. As such, risk management must be incorporated as part of BCP.

DRP versus BCP
These terms are often used interchangeably and though they address the same issue, their coverage is different. DRP refers to a process by which you are able to restore your work environment, i.e. data and the computing infrastructure, affected by any disaster.

BCP, on the other hand, suggests a more comprehensive approach to making sure you can keep making money and run business efficiently in the face of problems involving illness or departure of key staffers, supply chain partner problems or other challenges that businesses face from time to time. BCP, therefore, addresses the larger concern of business and ensure continuity of company’s business even when faced with grave situations.

Role of the CIO

It is here that a CIO can show the business orientation and lay emphasis on BCP rather than limiting himself to DRP. When talking of disaster recovery our focus is on ensuring recovery of data and the computing infrastructure so that the business can function. We forget that various business processes that have been affected may need their own time to recover the lost work and get back to normal functioning.

Many a time when there is a disruption and the IT department helps in rolling forward the database to the last position, business struggles for a couple of days more before getting back to normalcy. The business executives sit with the IT staff to reconcile transactions lost during the disruption phase, to cover of the backlog of transactions that might have taken place during this period but not entered (in the systems), or to restart with the right voucher/ document number.

In many cases, the users are not aware how to run their processes when any such disruption occurs. Some organizations have alternate systems which permit simple invoicing, issue of material, or recording production, etc. so that the immediate work does not suffer and then help transfer this data to the main application when the system is recovered.

Focus on the nitty-gritty

There are a few other factors that need clarity, for example, how to assess a failure and when to declare a disaster, how should the business function during the period of disruption, who would lead and manage the scene during this period and how to recover and regroup to get back to a steady state once the failure has been addressed?

BCP policy should clearly define when to inform the management, when to communicate to the working staff and also the standard operating procedure for the people / areas affected. This, of course, should be preceded by a business impact analysis and measures to ensure that the loss to the business is minimal. Post any disaster, the CIO should help assess the loss if any that the business might have suffered due to the disruption.

BCP, therefore, has a significant business element. It takes a holistic view of business to ensure that the company continues to function and stays competitive and rises quickly with minimal damage from any unforeseen and grave event that threatens to ground the organization.

The question is, how do we go about doing it? Many CIOs that I know take considerable time to take necessary steps because a large portion of their available time is often consumed by their day-to-day tasks and by attending to emergencies. The organization then runs the risk of badly losing out in case there is any mishap.

What is disaster recovery planning (DRP)?

Disaster recovery planning (DRP) is the process of developing in advance, the facilities, plans, and procedures, that enable an organization to respond to a disaster by being able to resume critical business functions within a defined time frame, to minimize loss, and to restore affected areas of business. DRP is a part of the larger, more extensive practice called business continuity planning (BCP).

The primary objective of a business resumption plan is to enable an organization to survive a disaster and to re-establish normal business operations. In order to survive, an organization must ensure that critical operations can resume within a reasonable time frame.

Therefore, the goals of a business resumption plan should be to identify weaknesses to implement a disaster prevention program, to minimize the duration of a serious disruption to business operations, to facilitate effective co-ordination of recovery tasks, and most importantly, to reduce the complexity of the recovery effort.

Elements of DRP

The main elements of DRP are given below.

Policy statement: Defining the goal for the plan and a business impact analysis. This is where, I feel, many people slip; I have often found people talking of a DR site and on-line replication without even assessing the tolerance of business to a few hours of shutdown.

Preventive steps: It is important to make a list of all the possible failures and examine steps that can be taken to ensure that such failures could be prevented. This may even include measures like a dual power line to the data center, redundant servers, data back-ups (at remote sites), storage replication, two data centers in the same campus but apart with equipment distributed etc. Larger important measures need to be planned well.

Recovery strategies: This deals with the question ‘what and by when to recover’. Here we talk of Recovery Point Objective (RPO) and Recovery Time Objective (RTO).

RPO refers to the age of the data you want the ability to restore to in event of a disaster. For example, if the RPO is eight hours, systems should be restored in the state they were in no longer than eight hours ago. This helps in defining the back-up or data replication strategies. RTO is the number of hours or days that management has put on resuming a business process or a system; in short this describes the time needed to get back to normal work.

Plan development: All the measures and steps including the infrastructure, back-up devices, processes and recovery steps need to be planned and documented so that the process is uniformly understood by all. Plans would then be run and tested.

Plan buy-in and testing: DR plans would not be effective if people are not aware of what is to be done in the event of a disaster. So awareness and training sessions are of utmost importance. It is a good practice to carry out drills so that the real recovery process is enacted and is a real world exposure.

Maintenance: It is not end of the story if we install a DR solution ― it has to be maintained on an ongoing basis. As the business grows there would be changes to our technical landscape, additions to capacities and realignment of business priorities, thus necessitating a review of our plans. Therefore, plans need to be examined and changed to reflect the current business realities.

DRP, hence, is a well thought of exercise and assumes the significance of a strategic plan designed to protect companies operations from disasters.

Disaster recovery explained
Disaster recovery (DR) is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster. Disaster recovery is a subset of business continuity. While business continuity involves planning for keeping all aspects of a business functioning in the midst of disruptive events, disaster recovery focuses on the IT or technology systems that support business functions.

Why DR planning is important
Disaster recovery, as a concept, got developed long time ago when organizations became more and more dependent on the computer systems and related technologies.

Many a time, when problems occur, companies take long to recover, leading to disruption in work, and often causing loss to business. For instance, interruptions in manufacturing, delay in dispatch of goods, or invoicing may lead to delay in reaching of goods to the market, drop in sales, or loss of customers. Nowadays, organizations are more worried about the dent that disasters may cause to their reputation. Another driving force for ‘DR’ is increasing government regulations mandating business continuity and disaster recovery plans for organizations in various sectors of the economy.

Worldwide, it is estimated that the most large companies spend between 2% and 4% of their IT budgets on disaster recovery planning. By spending on DRP, they aim at avoiding larger losses to business that the damage to IT infrastructure and data can lead to. Of companies that have had a major loss of business data, many never reopened, many closed business within two years, and others survived in the long-term. Today, DR planning is important even to small and medium companies; at times, it is mandated by the principals to whom they supply goods or services.

A CIO’s task
We, as CIOs, have our bounden duty to protect the organization from the fall-out of any such disaster and take measures to both, avoid any such an interruption and to recover soon if any such unforeseen event happens. Such measures, however, cannot be taken in a jiffy; they require detailed study of the computing environment, listing of possible faults, appropriate mitigation measures, and a good amount of planning.

The DR plan (DRP) is a set of defined policies and processes that detail steps that need to be taken to recover access to software, data, network, and hardware in case of any disaster either caused by human negligence or due to natural causes. DRP is complex process and requires a good amount of thinking and application. The plan should take into account all business critical activities and their impact on business and the cost of counter-measures to take care of such disruptions.

A DR plan (a.k.a. DR strategy) is important as it defines objectives clearly and identifies the measures to be taken when a disaster strikes. Execution of the plans, however, is equally important and in my opinion, it is here that many of us are found wanting. Sometimes we take too long for planning, especially when the issues are complex or when business leaders do not show the required urgency. Sometimes a grand plan could be halted due to the CIO not being able to justify the costs involved. During these periods of delay, the risks persist and may even get more acute with time and if a disaster occurs, the CIO may be left groping for answers.

In such cases, the CIO can start implementing some smaller measures that are simple and lend more protection to the environment. The set-up becomes more secure than earlier and we get free form those small but recurring problems that cause headache often. The larger measures can always follow in due time but we would have some protection in the meanwhile.