Despite all the dire warnings regarding the cost of downtime, including loss of revenue, market share, and even long-term viability, most firms still don’t adequately organize, plan, fund, and staff business continuity and disaster recovery efforts. In fact, most firms don’t even make a distinction between business continuity (BC) and disaster recovery (DR) — and there’s a huge difference between the two. Business continuity is your umbrella plan that encompasses not only the recovery of IT assets, but also people, manual procedures, physical equipment, etc. that a business process relies on. DR on the other hand, is a subset of BC and focuses on the rapid recovery of IT assets and data center facilities following a major disruption of the primary production site. The last thing you want is to successfully fail over to your alternate data center only to realize that no one provisioned any workspace (including PCs, phones, and network connectivity) for key employees that will keep the organization afloat. Unfortunately, many firms won’t even get that far — it would take me another few pages to explain how very few firms ever actually test their DR plan or constantly seek short cuts around thorough testing.
However, there are some firms that not only have well organized and well funded BC and DR efforts but have changed their mentality regarding BC and DR entirely. They no longer see these efforts as just insurance policies but actually a competitive advantage; they now talk about these efforts as business resiliency. Resilience is defined in the dictionary as “the power or ability to return to original form, position, etc., after being bent, compressed, or stretched; elasticity.” It is interesting that the word “broken” is not used. This implies that a resilient business might take a hit of some sort but it’s never actually “down” or must recover from scratch. It hiccups and keeps on going. These firms are determined to maintain their revenue, customers, and market share regardless of the disruption. In some cases, they can even capitalize on a competitor’s downtime. So how does a firm move towards business resiliency? I intend to formalize these steps, but the following are initial set of recommendations:
1. Change your organizational structure. Large firms typically have at least one individual responsible for BC planning. This individual should report to an executive such as the COO or the CFO. Too often the BC planner still reports to IT. Depending on the size of your company, the BC planner should have at least 1 to 2 BC coordinators that report to him or her. There should be someone within IT that has the title or responsibilities of DR planner, and he or she should report up to the CIO (if not the CIO himself or herself).
2. Form a business resiliency council or response team. This team should be made of key line of business owners, the BC planner, the DR planner, and key executives from IT, security, and risk management, as well as the COO. This team is responsible for coordinating resiliency efforts, planning across these corporate functions, and eliminating duplication of efforts (such as running a business impact analysis and local threat assessment three different times). The central team also defines standards for quality and consistency, testing, auditing of plans, etc. Local organizations and business units will still have a need for localized BC and DR plans but these plans should follow a corporate standard and corporate should audit these plans regularly.
3. Adopt industry best practices for business continuity management (BCM). Luckily, you don’t have to start from scratch here. There is a new industry standard that is gaining some visibility and adoption called the British Standard for Business Continuity Management — BS25999.
4. Involve the line of business owners. Business owners must have skin in the game if the firm is going to move towards resiliency. Line of business owners or application owners must work with the BC and DR planners, IT, and security to conduct a business impact analysis and threat assessment. LOB’s should define recovery time and recovery point objectives based on the potential impact to the business (i.e. lost revenue, fees, etc.)
5. Don’t make the BC and DR planners fund their efforts with a tin cup. LOBs and application owners must assist with the business case and funding of BC and DR efforts. In some cases, the firm may want to think about a means by which it can equitably allocate costs back to the business owners — this will keep them involved.
6. Keep plans up to date. The corporate business resiliency team has a process by which DR plans are continuously maintained and are accessible company-wide. This may require investment in BCP software.
7. Test your plans. Unfortunately, there is no way around this one. Yes, testing is time consuming and risky in and of itself, but unless you test, you’ll have no confidence in your ability to actually recover. This is one area where you can begin to get away from traditional concepts of what a DR test is. For example, some firms gracefully failover to their “alternate site,” but in reality are shifting their complete operations to the alternate site and running production from the site for an extended period of time. This eliminates the need to cross your fingers while you failover, run some consistency checks, and then failback.
Check out my recent research.