What is your understanding of Disaster Recovery Planning and Business Continuity Planning? Are these two terms related, or maybe not? How could companies implement these seemly unrelated services as a unified strategy to offer a complete service for business?
If you were going to develop a unified strategy using these services, what would be some common mistakes that you might make, and how would you avoid them?
I will answer these questions in this blog post, and in so doing, will guide you through making the technology work for you to implement your strategy.
Definitions and Technologies
Before we start our discussion, lets first understand the definitions of each term we will be using, starting with the first term:
Disaster Recovery: The process by which data and services are restored following an outage event or crash.
Business Continuity: The steps and processes a business takes to continue operations during an outage or crash to maintain accessibility and services to the business.
The graph below illustrates the concept of the two plans
As illustrated by the graph, when a disaster strikes, the Disaster Recovery Plan (DRP) focuses on the services used to recover the system and its data back to full operations. From a technology point of view at this stage, the plan is more focused on Backup and Recovery.
On the other hand, the Business Continuity Plan (BCP) is more focused on keeping the business operating and functional during the recovery after the disaster has struck. From a technology point of view, the BCP is focused on Replication, instead of Backup and Replication.
From the definitions of these two terms, you can see that that both plans are dependent upon each other; both plans are discussing the engagement of recovery operations to restore business. BCP focuses on the resumption of business activity by addressing the processes, people and property to be used for business continuity; while disaster recovery focuses on the recovery of the information technology systems used to restore business operations by addressing data and system recovery.
Building Your Effective Business Continuity and Disaster Plan
Understanding the relationship between the DRP and the BCP is essential before you can start building an effective plan for your business. Discussing these terms with customers requires using the ITIL framework to explain the concepts of our solution. I use the diagram below to illustrate the relationships.
By concentrating on the business and its tolerance for downtime, you can adopt the right technologies to protect your business against any type of outage. To put things in perspective, let us examine the ITIL Framework diagram:
- Identify: Start with identifying the potential causes of outages, and apply a risk assessment of that outage and how it will affect your business operation. At this stage, it is important to consider natural disasters, human errors, hardware and software malfunctions, losing a key employee, and more.
- Analyze: Here, you must analyze the impact of the outage on your business. What happens if an outage hits the business? Remember that the disaster is all about the impact on the business, and not the event itself.
- Design: Start building a strategy to avoid, or at least minimise, the risk you have already identified to reduce, or even avoid, an impact on your business following an outage.
- Execute: Start executing the plan by building the steps and procedures necessary in the event of an outage.
- Measure: Continue developing and adjusting the plan. Test your plans. Testing is the key to identifying gaps in your plan. Testing can also identify the need for a different approach.
As humans, we learn by making mistakes. Sometimes, the mistakes can be costly, especially when they involve the impacts and costs to the business. Let’s look at some common mistakes that you should avoid:
- No Business Impact Analysis: Outages can occur for many reasons. It is important to analyse the many reasons an outage might occur, and how each outage might impact the business. You can plan a protection or recovery strategy for an outage risk after you identified it.
- Too Much Technology Focus: Technology alone will not cover the entire strategy to maintain business availability. Technology is only a medium to enable the execution of your business availability plan.
- Not Involving the Business: Remember, building your BCP/DRP is not a one person exercise. You must involve the business and understand how each business unit is generating and using the data. By understanding the connections between the business units, you can understand the impact an outage might have on that part of the business; then you can protect it.
- Not Making Operations Personnel Responsible: You must ensure that all key operations personnel in your plan have the knowledge and authority to implement your plan, and can be contacted in the case of an emergency.
- Not Reviewing or Testing the Plan: You must run your plan to test it. The test run is to allow for a review of its effectiveness and to identify gaps in the processes. Testing your execution and simulating an outage from time to time will help you identify new requirements your business may need. Testing can assist you to adjust your plan to include new developments.
BCP and DRP working together help to keep your business operational through any type of outage. it is very important to examine all the potential threats to your business; then you can build a plan to protect against them. Technology is called into play after you have identified the threats and analysed a response. Remember also that each business unit has different tolerance to a data outage. You will need different techniques ready to execute the plan.
Last, don’t forget about the testing and revision of your BCP and DRP. In the fast-paced digital world today, companies are continually altering their business models, which in turn calls for new technologies that must be accounted for, and tested, in your plan.