Business Continuity Planning and Disaster Recovery Planning

Due diligence is the investigation or exercise of care that a reasonable business or person is expected to take before entering into an agreement or contract with another party, or an act with a certain standard of care. It can be a legal obligation, but the term will more commonly apply to voluntary investigations.

  • Distinguish between the business continuity plan (BCP) and the disaster recovery plan (DRP)
    • The business continuity plan (BCP) describes the critical processes, procedures, and personnel that must be protected in the event of an emergency. The corresponding business impact analysis (BIA) evaluates risks to the organization and prioritizes the systems in use for purposes of recovery. Mission-critical systems—systems that are essential for the ongoing operation of the business—are at the top of the list, followed by less critical systems and then “nice to have” systems that are nonessential for the business to remain in business.
    • The disaster recovery plan (DRP) describes the exact steps and procedures personnel in key departments, specifically, the IT department must follow to recover critical business systems in the event of a disaster that causes the loss of access to systems required for business operations. For example, one credit card company’s mission-critical system is the authorization system for charge requests at the point of sale; without this capability, the company could not generate revenue and would be out of business in a matter of days or weeks.
  • Follow the steps in the BCP
    • They must identify the scope and boundaries of the business continuity plan while communicating the importance of such a plan throughout the organization. What critical aspects of the business must be considered as part of the plan? This step typically involves an audit analysis of the organization’s assets, including people, facilities, applications, and IT systems, along with a risk analysis that identifies the types of threats to the organization, both man-made and natural.
    • Using the results of this thorough analysis, they must create the business impact assessment (BIA). The BIA measures the operating and financial loss to the organization from a disruption to critical business functions
    • When the BIA is complete, those responsible for creating the plan must sell the concept of the BCP to key senior management and obtain organizational and financial commitment. Without the support of top management, the BCP remains an abstraction—mere words on a page. The presenters must be prepared to answer questions such as whether the BCP is cost-effective and practical. If the cost of implementing the plan outweighs the benefit derived from it, the BCP must be reviewed and modified where appropriate. If the plan is too cumbersome and impractical to implement, its chances of success are slim.
    • After the BCP has gained the approval of upper management personnel who have signed off on the plan and released the necessary resources to implement it, each department needs to understand its role in the plan and support and help maintain it. This happens through a thorough examination of best practices within the organization and the tasks, processes, roles, and resources needed to meet the stated objectives of the continuity plan.
    • Finally, the BCP project team must implement the plan. This includes the necessary training, testing, and ongoing review and support of the BCP in both financial and practical terms. Business processes are rarely static, and the project team must ensure that the BCP adapts to changes within the organization.
  • Explain to business executives why planning is important
    • Businesses must protect shareholder investments while meeting federal and state legal requirements
  • Define the scope of the business continuity plan
    • Identifying critical business processes and requirements for continuing to operate during an emergency
    • Assessing risks to the business if critical services are discontinued
  • Identify types of disruptive events
    • Natural events
    • Events for which man, not nature, is directly responsible
    • Determining the cost of continuous operation and the value ascribed to each service
    • Establish the rules of engagement for tracking the progress
  • Outline the contents of a business impact analysis (BIA).
    • Quantifies the risks, establish, priorities, and performs a cost/benefit analysis for countering risks
    • Prioritize the business processes, most likely at the department level, possibly using a scoring system to assign a weight or value to each process
    • Downtime tolerance – determine how long each process can be down before business continuity is seriously compromised
    • Identify the resources required to support the most critical processes
  • Discuss recovery strategies and the importance of crisis management
    • Keeping the computers running
    • Meeting formal and informal service-level agreements (SLAs)
    • Being proactive rather than reactive
  • Explain backup and recovery techniques, including agreements for shared sites and alternate sites
    • Shared-site agreements are arrangements between companies with similar
    • Alternate-site services providers a hot site, a warm site, or a cold site
  • Testing the DRP
    • Walk-throughs
    • Simulations
    • Checklists
    • Parallel testing
    • Full interruption