Business Continuity and Disaster Recovery
Business Continuity and Disaster Recovery are processes that all firms should have but should never want to use. In the event of either being required, if a firm does not have them it could be catastrophic for the firm. There can be confusion between the two, but they are quite easy to distinguish:
- Business Continuity is the strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions, in order to continue business operations at an acceptable predefined level.
- Disaster Recovery is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure, systems and applications which are vital to an organization after a disaster or outage. Disaster recovery is a subset of Business Continuity.
What would you do if your premises became unavailable?
Every company should have a Business Continuity Plan* (BCP), so if there is a disruptive incident personnel are aware of the situation and their responsibilities. A BCP should contain pre-determined policies to minimise disruption and maintain continuity of service.
The BCP may identify a designated alternative site, critical roles, critical systems and access requirements, and a communication strategy for staff, external suppliers and other stakeholders.
The designated site should be constantly available, not too close to the usual work place, and have adequate facilities for individuals to perform their roles. Security of information is a consideration, particularly where shared accommodation is being used.
Instead of a designated alternative site, it may be appropriate for a remote working arrangement, provided the business can function effectively.
The communication strategy can include call cascades, text messages or a simple call recording. Once staff are aware of the incident, individuals should know what action to take: go to the designated site because their role is critical or work from home.
This plan should be tested at least annually, to ensure the communications work, all delegates arrive at the alternative site, all systems can be accessed and all other tasks that are deemed vital can be performed.
Additional to the BCP, a business should have a Disaster Recovery Plan (DRP)*. This could be part of the BCP or stand-alone. The Disaster Recovery Plan should explain how the business will minimise impact in the event that critical systems are unavailable due to a malicious attack, deliberate denial of service (DDOS) or other reason.
Like the BCP, the DRP should be tested regularly.
*Examples of BCP or Disaster Recovery Plans, are available online and there are many to choose from.