Business Continuity Planning and Disaster Recovery Planning

In this post, we will discuss Business Continuity Planning and Disaster Recovery Planning and their applications.

Introduction

To carry out a business requires several resources such as staff, clients, infrastructure, technology, and several other resources. 

Many companies and organizations focus only on the technical terms due to which they lack other sources for securing the business which leads the business to insecurity and different losses may occur for business. 

Nowadays, different large scale and small scale organizations rely on the internet and conduct meetings and arrangements with the help of the internet without proper plans or policies due to which different types of attacks such as the 9/11 attack which took the innocent life of 3,000 people and different types of natural disasters such as flood, burning and various other attacks may occur. 

To prevent the attacks, creating, maintaining, and updating the business plan should be done which will help the business organization to be secure and safe. 

Different types of disaster recovery plans should be carried out if any type of disaster occurs at any time. So, a backup plan should always be ready if any uncertainty occurs. 

Business Continuity Planning (BCP) is the way of creating a system of prevention and security from any type of risk or threat to the company. 

It verifies that all the assets and the properties of the company are safe and protected from any kind of disaster. 

It involves facing any type of risk or disaster that harms the organization. It is a major requirement to carry out a business in a smooth process. The plans created should be tested so that no weakness or vulnerabilities should be found and in the case of weakness it should be identified or checked and corrected properly. 

Disaster Recovery Planning (DRP) is known as a set of rules or policies created or designed to help the organization for the recover and protection which has suffered risks or damages from different types of disasters such as natural disasters like floods, tsunamis, earthquakes may occur and man-made disasters like theft, vandalism, robbery of data, failure of infrastructure, bio-terrorism may take place. 

It helps in saving the budget, power, and energy of the organizations. 

A disaster recovery employer should take the responsibility of recovering from the disaster by implementing various plans and maintaining different strategies which help to prevent and control the disaster. 

The coordinator should be able to analyze the risk and reduce the chance of risks by creating different solutions to the problem so that the organization can be safe and carries out the work properly. 

Background

Business Continuity Planning

The main concept of business continuity planning was started in the 1970s which used to focus only on technology. 

At starting, it used to focus only on single and large systems. It used to make the computers cool using water-cooling pipes which were one of its main objectives. 

During the period of 1980s, it also focused on auditing and controlling the system, it became more formalized and disciplined in this period with a clear focus on protecting the organization. 

Its objective was to look after the employees, technologies, and business processes and also to fulfill the needs and criteria of the company. 

Risk assessment and gap analyses became a pivotal role in business management in this period whose concept was to focus on the protection of data as well as paper files. 

In the 1990’s it used to focus on the value-based operation which used to develop the strategic development of the policy, its scope was to hold down the competitive advantage which used to include the customers and suppliers and an entire organization including human and social issues. 

The business process was addressed to business managers during this period. 

Business Continuity Planning Methodology

BCP methodology is the planning process for the implementation of any business plans and policies. It involves different phases which are described below in detail. 

i. Project management

It is the first step in implementing the BCP methodology in any organization which helps in maintaining Executive Management Structure and supports the BCP process. 

It obtains the commitment of Heads of Business Units and their staff members, involves them in the BCP process, and also starts the information gathering process. 

Some of the measures followed by Project management are:

    • It develops a Business Continuity Planning framework. 

    • It builds and maintains teamwork for BCP. 

    • It generates a plan and schedule.

ii. Risk Analysis and Review

This is the phase where risks, vulnerabilities, and probabilities of an organization are analyzed thoroughly. 

Its purpose is to mitigate or minimize the risks and threats of an organization. 

Some of the measures followed by this phase are: 

    • It implements, maintains, and monitors the effectiveness of controls. 

    • It maintains the risk. 

    • It establishes a main scenario of the disaster. 

iii. Business Impact Analysis

This phase determines an organization’s Critical Business Functions and analyses the disruptive impact on the business. 

It determines the extent to which primarily functional and operational dependencies exist within the organization. 

Some of the major steps followed by Business Impact Analysis are: 

    • It gathers initial information about business functions, support systems, and IT applications. 

    • It verifies and analyzes information. 

    • It prepares documents and presents findings. 

    • It includes recovery priorities supported by graphs, charts, and other working aid. 

iv. Business Continuity Strategy

This process is developed to determine and select an operating strategy to maintain critical business functions or services even after the case of a disaster. 

Some of the processes involved in this case are: 

    • It initiates the BC strategy Project and Design. 

    • It evaluates the statement and arrangement after the disaster has taken place. 

    • It starts the BC strategy workshop.

v. Testing and Exercising

This is the phase created to check whether the business continuity plans are working or not.

It is necessary to test to prove its validity and to find errors. 

It ensures the integrity of a complete business continuity plan, with variable results to handle every type of situation. 

Some of the processes involved in Testing and Exercising are: 

    • It designs the testing program which includes the necessary tests and exercises.

    • It executes the test where different questions are asked to complete the task. 

    • It evaluates the results of the test and exercises to know whether the test was successful or not.

Disaster Recovery Planning

Different level of organizations is doing business to earn money and to make their items and infrastructures popular. 

Every company may have its secret and sensitive data stored in all its safes. If any type of disaster occurs then the data will be damaged and the organization may lead towards risk due to which the company needs to have a proper data recovery plan. 

The disaster recovery plan should be created in such a way that it should have a solution for each and every disaster occurred at any level of the business. 

It should be designed to recover all the vital business processes during a disaster within a limited period. 

Control Measures of Disaster Recovery Plan

It can generally be classified into three types: 

• Preventive measures

These types of measures help in controlling and preventing any type of risky event from happening.

• Detective measures 

This sort of measure helps in knowing any types of unwanted event which could result in a disaster. 

• Corrective measures

This sort of measure helps in restoring the IT system after the occurrence of the event.

Recovery Point Objective and Recovery Time Objective

A business continuity plan contains two metrics such as Recovery Point Objective (RPO) and Recovery Time Objective (RTO) which are the two most important factors of business continuity planning. 

These are the objectives that lead an organization to choose an optimal and correct data backup plan. 

RPO is the recovery point from where the data must be restored so that the previous transactions needed to be resumed whereas RTO means the recovery time that is allocated for the recovery of data. 

Recovery Time is the time allocated that can elapse between the disaster and the activation of data from the backup server or secondary site. 

The major difference between these two metrics is their purposes. RTO is usually a large scale and looks after the whole business and systems involved whereas RPO focuses on data and the company's overall losses.

Difference between BCP and DRP 

Although BCP and DRP sound the same there is a slight difference between them: 

BCP

It is a plan for mitigating risks if any disaster happens to occur. They are business-centric. They have a series of DRPs. Its objective is to continue the critical business operations.

DRP

It is a plan for accessing the required technology and infrastructure after a disaster happens. They are data-centric. They are built upon a strong business continuity plan. Its objective is to recover from any type of disaster.

Difference between Risk Assessment and Business Impact Analysis

Risk Assessment

It is the list of risks and their probability. It is used for maintaining Information Security and is also used in BCP.

Business Impact Analysis

It is the list of information on RTO and RPO. It is only used in Business Continuity Plans.

Literature Review

Case Study 

The 9/11 Attack which took place on the World Trade Center of the U.S.A brought the realities of IT disaster recovery sharply into focus. 

More than half of all small to medium-sized enterprises were affected by 9/11 and were shut down.

Findings:

The event which took place at the World Trade Centre on September 11, 2001, in the U.S.A has had a tremendous impact on the technology for the financial services organization in that location, as well as for the different global companies located there. Nearly 8,000 Intel-based servers and approximately 5,000 UNIX servers were lost which had a cost of $370 million. It was also estimated that around 30,000 securities posts such as the posts for trading, sales, research, and operations departments were lost in the seven WTC buildings, and another 15,000-20,000 posts were lost in the other building after the incident took place. According to a source, a cost of $3.2 billion was required to replace the technologies of the organizations that were affected by the attack. Around $1.7 billion was invested in new hardware infrastructure for trading stations, sales stations, work stations, PCs, servers, minicomputers, storage devices, cabling, and communications hubs to routers and switches. The remaining $1.5 billion was spent on cover services and software to install necessary networks, operating systems, and applications infrastructures. Many organizations which were the victim of the attack could not recover from the losses and had to end up moving out of the business. This is the main reason why enterprises and organizations should always be ready for any type of attack and should make a recovery plan and continuity plan before any disaster happens to occur. 

Analysis: 

The 9/11 attack was one of the most dangerous attacks on the whole mankind which caused severe damage to many enterprises and organizations which could not recover from the incident and had to end their business due to weak plans and policies. Although, some business organizations learned from their mistakes from the incident and planned to make strong policies and recovery plans for the betterment of organizations in the coming days. The other lesson that should be learned from this attack is the company should learn as a whole, not only focus on a single person, and should share ideas and views with the whole people in the organization because if anything happens to the one the other can follow the terms and policies and continue the business. Business, security, and IT leaders should work together as a team so that they can determine what type of plans are needed to be implemented for business units so that they can be safe. The business team should always be updated and upgraded and should have a backup plan. Collaboration and cooperation of teams should be maintained. Everyone should be aware of their roles and responsibilities and the members should be expertise at an organizational level. If these sorts of things are maintained then the organization can work smoothly without any disruptions and achieve its goal. 

Conclusion

Finally, the report states that Business Continuity Planning and Disaster Recovery Planning are important factors which are needed to be implemented by all the enterprises and organizations. 

Although, these two factors are not responsible for gaining profit for the organization it controls the risk and disasters and can sustain through rough patches. 

The implementation of these two factors is very important if the organizations want to sustain and carry out functions smoothly without any risk. 

BCP and DRP are not essential for a short-term period but are valuable and useful if it is followed for a long period. If any new business or organization is being started then the entrepreneurs should follow BCP and DRP so that their business can be safe and secure from any types of harm. 

Along with the benefits of BCP and DRP, this report also concludes its research by stating that the practical approach of business continuity has not matched the research portion of Business management as there has been less to no effort in the study done to improve the state of business continuity and disaster recovery planning, so a continuous effort should be maintained in the study and research in the field of business management.