Business
Continuity &
Disaster
Recovery
Why Should Companies Take
a Closer Look at Business
Continuity Planning
George Cou...
Why Should Companies Take a Closer
Look at Business Continuity Planning?
How net business continuity and disaster recovery...
Disaster recovery is the process by which you
resume business after a disruptive event. Events
can range from significant ...
appropriately address the lessons they have
learned from past disasters.
General Dwight D. Eisenhower said, “In
preparing ...
Plan purpose
A BCP provides for the continuation of critical business functions and the recovery of
those functions in the...
Plan objectives
Objectives of the BCP include:
− Reducing the risk of disruption of operations
− or loss of information
− ...
Plan components
All BCP s need to encompass how employees will communicate, where they will go, and
how they will keep doi...
Plan organization I
Plan organization II
Below is a sample of how a BCP might be organized:
Section 1: General company information
− Plan miss...
− Lack of a plan may emphasize quantity
over quality, which in turn, will decrease
productivity and impact the customer
ex...
Upcoming SlideShare
Loading in …5
×

Business continuity & disaster recovery

1,013 views
906 views

Published on

Published in: Business, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,013
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
74
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Business continuity & disaster recovery

  1. 1. Business Continuity & Disaster Recovery Why Should Companies Take a Closer Look at Business Continuity Planning George Coutsoumbidis
  2. 2. Why Should Companies Take a Closer Look at Business Continuity Planning? How net business continuity and disaster recovery solutions can help organizations lessen the impact of disasters and incidents. Over the last 30 years, companies have significantly changed their approach to ensuring that their businesses can continue to run in the event of a catastrophe. In the 1970s, IT departments responsible for companies’ information-based assets focused on the recovery of the data center and associated networks. By the 1990s, the focus had shifted to business units. The commitment of management became a critical success factor in the development of business continuity plans, as both IT and the business were required to develop those plans. As a result of 9/11, organizations extended business continuity planning to create enterprise-wide plans. Today, executive management is much more involved in ensuring the success of the plans, and the focus has shifted from power, hardware, and software outages to regulatory requirements, business requirements, and non-traditional events such as terrorist attacks. Business continuity planning / disaster recovery (BC / DR Many organizations still merge the terms disaster recovery and business continuity. However, for the purpose of this paper, each term is defined so that all parties involved have the same foundation from which to work.
  3. 3. Disaster recovery is the process by which you resume business after a disruptive event. Events can range from significant (e.g., an earthquake, a terrorist attack) to something smaller like malfunctioning software caused by a computer virus. However, given the human tendency to look on the bright side, many business executives are prone to ignoring disaster recovery because disasters seem unlikely to occur. Business continuity planning suggests a more comprehensive approach to ensuring that the business can continue to make money, not only after a natural calamity, but also in the event of smaller disruptions, including illness or departure of key staffers, supply chain partner problems, or other challenges that businesses face from time to time. The business continuity plan (BCP) encompasses every aspect of any recovery procedure used to keep a company operating. It provides an understanding of the risks the company has identified, mitigation for those risks, business impacts of the risks, and a mapping of critical business functions to the organization. A part of the BCP, the disaster recovery plan focuses on the recovery or resumption of IT as it supports the business. Reasons for developing business continuity capabilities Changes in business processes and technology, increased terrorism concerns, recent catastrophic natural disasters, and the threat of a pandemic have focused even greater attention on the need for effective business continuity planning. Executive management is now expected to consider the potential for area-wide disasters that could affect an entire region and result in significant losses to the organization In most cases, recovery time objectives (RTOs) are now much shorter than they were a few years ago, and for some institutions, RTOs are based on hours and even minutes. Ultimately, all business units should anticipate and plan for the unexpected and ensure that their business continuity planning processes The board and executive management are responsible for ensuring that the organization identifies, assesses, prioritizes, manages, and controls risks as part of the business continuity planning process. The board and senior management should establish policies
  4. 4. appropriately address the lessons they have learned from past disasters. General Dwight D. Eisenhower said, “In preparing for battle, I have always found that plans are useless, but planning is indispensable.” The same thing can be said about business continuity planning. The real value in business continuity planning lies not in the report that is produced (although call-out lists and procedures are definitely of value), but in the following three areas: − The decision-making / assessment process: Identifying what could happen, associated consequences, prevention and mitigation, and the business risks. − The data gathering process: Evaluating what type of data you have, who uses it, where it is located, and what risks it faces. − The increased awareness that results from such a project. that define how the organization will manage and control the identified risks. Once a policy is established, the board and senior management must understand the consequences of these identified risks and support continuity planning on a continuous basis. − The business continuity planning process should include regular updates to the BCP. The BCP should be updated based on changes in business processes, audit recommendations, and lessons learned from testing. − Changes in business processes include technological advancements that allow faster and more efficient processing, thereby reducing acceptable business process recovery periods. For example, in response to competitive and customer demands, many ITl institutions are moving toward shorter recovery periods and designing technology recovery solutions into business processes. These technological advances underscore the importance of maintaining a current, enterprise-wide BCP. Additional industry practices that are commonly used to maintain a current BCP include: − Integrating business continuity planning into every business decision − Incorporating BCP maintenance responsibilities in applicable employee job descriptions and personnel evaluations − Assigning the responsibility for periodic review of the BCP to a planning coordinator, department, group, or committee − Performing regular audits and annual, or more frequent, tests of the BCP Human resources, represent one of most critical BCP components, and often, personnel issues are not fully integrated into the enterprise-wide plan. Based on the business impact analysis (BIA), the BCP should assign responsibilities to management, specific personnel, teams, and service providers.
  5. 5. Plan purpose A BCP provides for the continuation of critical business functions and the recovery of those functions in the event of a disaster. Many potential contingencies and disasters can be averted, or the damage they cause can be reduced, if appropriate steps are taken to manage through the event. A completed plan outlines the course of action taken in the event of an emergency and the recovery process for business units to return to normal business operation. The BCP addresses the following: − How will management prepare employees for a disaster, reduce the overall risks, and shorten the recovery window? − How will decision-making succession be determined in the event management personnel are unavailable? − How will management continue operations if employees are unable or unwilling to return to work due to personal losses, closed roads, or unavailable transportation? − Who will be responsible for contacting employees and directing them to their alternate locations, if required? − Who will be responsible for leading the various BCP teams (e.g., crisis / emergency, recovery, technology, communications, facilities, human resources, business units and processes, and customer service)? − Who will be the primary contact for critical vendors, suppliers, and service providers? − Who will be responsible for security (information and physical)?
  6. 6. Plan objectives Objectives of the BCP include: − Reducing the risk of disruption of operations − or loss of information − Communicating responsibilities for the protection of information and continuity of mission-critical business functions − Minimizing the number of decisions that must be made following an event − Decreasing dependence on the participation of any one specific person in the response process − Minimizing the need to develop procedures during response
  7. 7. Plan components All BCP s need to encompass how employees will communicate, where they will go, and how they will keep doing their jobs. Details can vary greatly, depending on the size and scope of a company and the way it does business. For some businesses, issues such as supply chain logistics are most crucial and are the focus of the plan. For others, IT may play a more pivotal role, and the developed plan may concentrate on systems recovery. For example, the plan at one global IT company would restore critical mainframes with vital data at a backup site within four to six days of a disruptive event; obtain a mobile PBX unit with 3,000 telephones within two days; recover the company’s more than 1,000 LANs in order of business need; and set up a temporary call center for 100 agents at a nearby training facility. But the critical point is that neither IT systems nor supply chain logistics can be ignored, and IT and human resources plans cannot be developed in isolation from each other. BC / DR is about constant communication. Business and IT leaders should work together to determine what kind of plan is necessary and which processes and business units are most crucial to the company. Together, they should decide which people are responsible for declaring a disruptive event and mitigating its effects. Most importantly, the plan should establish a process for locating and communicating with employees after such an event. In case of a catastrophic event, the plan also needs to account for employees who have more pressing concerns than returning to work, as was recently demonstrated along the U.S. Gulf Coast during the aftermath of Hurricane Ike. To be successful, the BCP should include the following items at a minimum: 1. Escalation chart – documents the escalation path for specific issues based on prepared scenarios 2. Call list – determines who is on call and how to contact those people supporting specific components of the plan 3. Actions to take – document action items and recommended decisions to minimize decision making in a crisis 4. Recovery inventories – identify the items required for recovery to determine what can be recovered if lost (e.g., building, systems, etc.). 5. Disaster recovery plans – establish the procedure for recovering IT systems 6. Responsibilities – determine roles and responsibilities of personnel during a disaster and as part of ongoing plan maintenance 7. Priorities – provide the recovery priority and sequence 8. Administration maintenance and exercising – identify required maintenance and sign-offs 9. Organization – details organizational charts 10. Alternate facilities and resources – list backup work and recovery locations (e.g., contracts, vendor)
  8. 8. Plan organization I
  9. 9. Plan organization II Below is a sample of how a BCP might be organized: Section 1: General company information − Plan mission statement − Outage emergency definition − Escalation levels − Service levels during an outage emergency − Listing of business functions and processes − Definition of criticality Section 2: Business recovery teams − Description of recovery teams − List of team members − List of team tasks Section 3: Backup procedures − Configurations − Inventories − Applications − Backup procedures − Inventories of offsite data, documents, forms, and supplies Section 4: Recovery procedures − Hardware − Software − Communications − Applications Section 5: Implementation plan − Tasks required for execution of BCP Section 6: Recovery exercise plan − Parameters − Objectives − Measurement criteria − Section 7: Recovery plan maintenance − Requirements − Procedures − Section 8: Relocation / migration plan − Tasks required to return to permanent site Appendices: − Vendor contacts − Equipment lists − Personnel information − Forms / documents Why build a BCP rather than move to a Why build a BCP rather than move to a second data center for disaster recovery? The most significant benefits of developing a BCP are the organization and prioritization of processes and applications required to recover critical business processes in an orderly fashion. Moving to a secondary site without developing a plan essentially doubles your infrastructure costs and does not ensure business continuity or disaster recovery. Key drivers for these excess costs include: − Lack of application consolidation and virtualization planning could make determining budget priorities more difficult. − Lack of process modification could lead to disruptions and additional downtime. − Unplanned outages during the transition phase could impact the business and customers. − Not all processes or applications will need redundancy immediately, if at all. − Failover of equipment does not guarantee failover of systems, extending potential outages. − Lack of planning could conceal critical interdependencies among in-house applications and other companies. − Lack of planning may result in purchasing infrastructure to mirror technologies at end of life or late in the technology refresh cycle. − Lack of planning may impact balancing
  10. 10. − Lack of a plan may emphasize quantity over quality, which in turn, will decrease productivity and impact the customer experience. the risks and benefits of the second site. Consultative methodology:

×