Having a continuity plan for any business establishment is highly important. Continuity plan need not be highly expensive. However, it should be dependent on business processes, along with the vulnerabilities that these processes have.
Should you fail to identify either processes or risk, you cannot handle any kind of disaster, and you will not be able to deal with any of the consequences that come along with it.
One aspect that any business organisation should become familiar with is the BIA, or Business Impact Assessment. This forms the foundation on which business continuity plans must be based. When you think of BIA, there are a number of factors you should consider.
First, you need to factor in the costs that come with a recovery strategy. You need to figure out the costs involved with preventing a risk from occuring. If a disaster should occur, it is also important for you to know where your resources should be deployed. The good news is that a Business Impact Assessment can assist you in dealing with these issues. The BIA would basically be responsible for determining the processes which must rapidly be recovered in the face of a disaster. It will also find both the costs as well as the consequences of a disaster.
The BIA can also allow you to see the dependencies which exist among processes, as well as the minimum service that will be needed for the recovery of every process. Through using the BIA, you will understand the order in which processes can be recovered, and most importantly, you will be aware of the resources you will need, along with what will be necessary for restoration. One thing that you should also note is that the Business Impact Assessment is comprised of a number of phases. Understanding these phases is very important.
Business Impact Assessment Phases
Scope of Work and Assessment
With the standard BIA, the scope of work, as well as the agreed terms of reference will be established. After this, the critical staff will be identified, and are interviewed. A series of surveys will also be provided to the staff in order to gain more information about their business processes. Once this is complete, an assessment will be taken to determine the impact which would result to the business processes in the event of a disaster. In addition to this, the reputation and assets of the enterprise will also be considered.
Recovery Time Objective (RTO)
Once this has occured, an RTO, or Recovery Time Objective, must be established for every process. The RTO is defined as the amount of time it takes for the process to recover to its minimum level. After the RTO has been established, the next thing that will need to be established is the RPO, or Recovery Point Objective. This is the point at which data has to be re-established for the objectives of the business to be carried out, and this has to be done for every process.
Minimum Service Level (MSL)
Another important part of the Business Impact Assessment is the MSL, or Minimum Service Level. The MSL is defined as the level in which the process will need to be recovered so that the expectations for service can be matched, as well as the resources which will be necessary to achieve this. There are also dependencies which exist among the various business processes which comprise a business, and it is critical for these dependencies to be identified. Once this is done, the findings will need to be collected in a BIA report. Once the BIA report has been created, it will need to be presented to senior level management to ensure it is in line with the objectives of the organization.
Role of Risk Assessment in BIA
Risk assessment is directly connected to BIA, because it finds the threats that could hinder the performance of the organization, and it is also responsible for establishing the chances of such events occuring, as well as the potential consequences of such events. The risk assessment will advise you of whether or not a threat should be ignored, the amount of money you should spend preparing for the threat, and whether or not recovery plans should be developed in the event the disaster occurs. Much like the BIA, the risk assessment is broken down into a collection of phases.
Many of these phases are similar to BIA, like agreeing to terms, as well as the scope of work. However, there are also some notable differences. With a risk assessment, the probability of a threat occuring would be measured, the threats would be prioritized by level of danger, and the findings would also be summarized (which is the same for BIA). This findings would be placed in a report, and presented to senior management for analysis. The one thing that you must keep in mind is that no successful organization can afford not to have risk assessment or BIA plans.
There are a number of key reasons why you will want to carefully consider a disaster recovery plan for your business. First, in the event of an emergency, the preparations which your enterprise have made in advance can mean the difference between its success and failure.
In the face of many historical disasters, many companies who had failied to develop disaster recovery plans in advance no longer exist today. Not only should the CEOs of Fortune 500 and 1000 companies consider disaster recovery plans, but small and medium sized business owners should consider them as well.
Lets look at some historical events over the last few decades which should give you reason to consider a disaster recovery plan for your business. If you are a multinational corporation that has mining interests or facilities in developing countries, political circumstances can turn against you at a moment's notice. As history shows us, failing to establish a disaster recovery plan for your business is a recipe for disaster.
Disaster Recovery Objectives
There are two fundamental objectives for disaster recovery that most enterprises understand. The first involves the amount of time it takes the organization to recover, and how long the business can continue to function should their crucial IT services go down. The second factor that most enterprises are familiar with is the point of recovery, meaning the time in which you can recovery the data, and the amount of data you can afford to lose or re-enter via an alter area. The good news is that there are a number of options that you have available to you. One such option that you will want to consider is MTO.
MTO, or Maximum Tolerable Outage, is defined as the ultimate amount of time that a business can function from the very start of the disruption or emergency. The recovery objectives that you establish will need to be dependent on concrete business requirements which have been defined via the BIA function. A correlation needs to be established among the starting, reporting, and the investigation methods, along with the process of making decisions, and the recovery.
How to Establish Disaster Recovery Plans
The first step in creating a disaster recovery plan is to write one up, but it will also be necessary for companies to test their plans in order to ensure its effectiveness. Historically, a separation has been made between disaster recovery and the business continuity planning, and while one was relegated to the business department, the other was connected to the IT department. However, one thing that many enterprises are beginning to realize is that this "split" actually creates more problems than solutions, since the typical business will not be capable of operating should their IT services remain down for an extended period of time.
Depending on the industry that your business competes in, a disruptive event can range from hours to days. The one thing that you must understand is that the longer you go without restoring your daily operations, the more destructive the event will be to your business.
A new standard has recently been introduced which is named BS 25999, and it has laid a solid framework that can be followed for BCM, or Business Continuity Management. BCM is highly important, because it is responsible for seamlessly connecting itself with both IT Disaster Recovery and Incident Management. The key to BCM is that if you want to gain authentic business continuity in the face of a disaster, you must have a solid IT Disaster Recovery structure.
The disaster recovery plan that you establish should connect the whole business community together, and it is also critical for it to be clear and easy to understand. You will need to emphasize the activities which are the most important for restoring the IT services which are crucial, and you will want to make sure you test this plan regularly. Testing disaster recovery procedures is one of the most important aspects in ensuring the plans are effective. Without adequate testing, you are putting the enterprise at grave risk, but it will take a real disaster occuring in order for you to find out whether your DR system is efficient.