Disaster Recovery Planning Ensuring Business Continuity
How a company responds during an emergency or other unexpected event can drastically impact how quickly it can resume operations and its prospects for future success. Planning ahead and having systems in place for such events can be just as important as the actual response once an event occurs.
To prepare, companies should have both business continuity plans and disaster recovery plans in place. While business continuity and disaster recovery plans are two separate types of plans, they should complement each other as there are many similar concerns for each.
Below, we outline how these plans differ and steps your company can take to design effective plans should an emergency arise:
- What Is a Business Continuity Plan?
- What Is a Disaster Recovery Plan?
- How Does Disaster Recovering Planning Differ from Business Continuity Planning?
- What Types of Events Should Be Included in a Disaster Recovery Plan?
- What Are the Benefits of Planning Ahead?
- What Does a Business Continuity Plan Typically Include?
- What Processes and Procedures Belong in a Business Continuity Plan?
- What Is the Purpose of a Disaster Recovery Plan?
- What Does a Disaster Recovery Plan Typically Include?
- How Do You Test a Disaster Recovery Plan?
What Is a Business Continuity Plan?
A business continuity plan is a predefined approach and procedure for how a business will continue to run when coping with an emergency.
What Is a Disaster Recovery Plan?
A disaster recovery plan is a predefined approach and procedure for restoring the business to full functionality, following a system failure or compromise, while keeping the impact to a minimum.
How Does Disaster Recovering Planning Differ from Business Continuity Planning?
While a business continuity plan focuses on defining how business operations should function under abnormal circumstances during a disaster or emergency, a disaster recovery plan focuses on getting applications and systems back to normal.
What Types of Events Should Be Included in a Disaster Recovery Plan?
Business emergencies can include events that are intentionally or accidentally caused by humans as well as natural disasters.
Potential disasters and threats can include the following:
- Pandemic flu
- Computer and server shutdown or denial-of-service and sabotage
- Ransomware attack
- Bomb threat
- Severe weather or wildfire
Regardless of the origin, business disasters may cause:
- Death or significant injury
- Damage to property or environmental damage
- Closing of business
- Work or service stoppage
- Negative impact on the company's financial standing or company image
What Are the Benefits of Planning Ahead?
Business continuity planning and disaster recovering planning both provide several benefits to your organization, especially when they're drafted in tandem, including:
- People and property protection
- Morale boost
- Improved decision-making
- Risk management
People and Property Protection
Having emergency plans in place can help safeguard life and property of the company and its employees. The Occupational Safety and Health Administration (OSHA) even requires companies with more than 10 employees to write these plans in compliance with its Regulation 1910.38 Emergency Action Plans.
Morale Boost
When employees know plans are in place, they may feel safer. This can help boost morale and potentially increase business value perception to buyers who recognize the responsibility and preparedness of the company.
Improved Decision-Making
Planning ahead allows for systemic, structured, and timely implementation of your plan and helps you make decisions based on the best available information, should an emergency occur.
It also provides room to be dynamic and responsive to change. Flexibility can allow you to take human and cultural factors into account, such as supporting workers with medical needs or managing teams that operate across geographic regions, and allows the company to be transparent and inclusive with its plans.
Even if you haven't faced an emergency, planning for one can help facilitate continual improvement of the organization and become an integral part of all organizational processes.
Risk Management
Managing risk for organizations includes risks posed by relationships with third parties, such as service providers or vendors. These third parties can play a significant part in the overall risk for an organization based on the types of data they have access to or handle. They can also be used to provide recovery services or high availability for systems that need to meet high levels of up time.
For companies serving highly regulated industries, such as health care, financial services, and utilities, third-party risk management often includes assessing business continuity plans and disaster recovering plans. By documenting and testing these plans, organizations are better equipped to meet the expectations of those they serve.
What Does a Business Continuity Plan Typically Include?
There are several key factors to consider when creating a business continuity plan. While employees and customer safety should be your top concern, there are also other areas of focus that are especially important.
Business continuity planning should focus on:
- Duration your business can last without its tools, assets, operating locations, and other elements crucial to operations
- Possible outcomes if you're denied access to facilities, servers, customer records, or other needs
- Length of time you can operate without telephone service, electricity, or temporary electricity if running only on generators, water, and other utilities
- Necessary changes to processes and workflows to maintain critical operations until the situation can be returned to normal
- Scenarios most likely to occur that would create the greatest disruption to the organization
What Processes and Procedures Belong in a Business Continuity Plan?
To prepare for those concerns, a business continuity plan should define processes and procedures for the following:
- Assessing and planning for threats to business operations
- Maintaining operations and meeting obligations during emergencies
- Testing your plan, including test types, testing schedules, and documentation requirements
Steps to assess various risks should include the following:
- Estimating the likelihood of the event based on data, such as the historical frequency of natural disasters in an area
- Defining risk categories, such as operational, legal, reputational, or security risks
- Estimating the impact to assets or processes based on the defined risk categories—for example, a natural disaster that causes a server outage may affect a public website hosting a storefront, which could impact revenue or relationships with partners
- Mitigating controls such as backups and alternate operating locations
How Are Contacts and Communications Determined in a Business Continuity Plan?
Primary and secondary points of contact should be determined internally and externally. It may help to create templates or prewritten communications as well as communications schedules that can be deployed immediately in the event of an emergency. This helps put plans into action and address employee and public concerns.
Emergencies can require all hands on deck, so it's important to identify top personnel and their responsibilities in your plan, as well as team members to serve as alternates in case the primary role player is unavailable.
Responsibilities should be defined and assigned for the following roles:
- Crisis manager or site coordinator
- Engineering or maintenance officer
- Human resources officer
- Communications or public relations officer
- Outside members such as police, fire, and government personnel
Employees will need to be notified and provided instruction in an emergency situation. Employee contact information should be up-to-date and easily accessible with departmental organizational charts as well as cell and home phone numbers and emergency contact information included.
Planning should also consider the likelihood that communications systems may be inaccessible and define alternative means of connecting with employees and team members, including any third parties supporting business continuity efforts.
What Safety and Security Measures Are Included?
First-Aid
First-aid kits and other resources should be inspected at least on a monthly basis. Identify local hospitals, medical treatment options, and available 911 services so the correct parties can be contacted as quickly as possible if needed.
Evacuation and Access to Property
Evacuation plans from all company buildings should be readily available, and employees can be instructed on evacuation routes through drills. Additionally, they should be provided directions to shelter and safe areas.
For those not at a company location or to plan for how to access property following an emergency, alternate routes to key facilities should also be provided in the event of damaged roads.
How Will You Access Contractors, Support Equipment, and Utility Companies?
Should you require the assistance of emergency personnel, repairs to infrastructure, or equipment, it's important to consider how you'll access these resources. Contractor contact information and tools and equipment requirements, as well as rentals, should be readily available.
Equipment you should consider having access to includes the following:
- Generators for backup power including portable options such as trailers
- Computing equipment and storage
- Trailers to transport fuel to generators, equipment for repairs, or sandbags before storms
In addition to requesting these materials, it's important to make sure anyone who will come in contact with the equipment has a deep knowledge of how to properly operate machinery and assess any safety concerns.
Other important vendors and contacts to have easy access to include the following:
- Banks and financial institutions
- Computer and IT backup support providers
- Building contractors
- Fuel companies
Do You Have Proper Insurance?
Should damage take place to your property or if people are harmed, you'll want to make sure the proper insurance protocol is in place. You should be able to easily access the contact and claims reporting information for the following:
- Property-casualty agent
- Group health insurance
- Life or accidental death and dismemberment insurance
Insurance concerns can also extend to cars and other vehicles, so it's important to have access to vehicle identification numbers (VINs) in case they go missing or are damaged.
What Is the Purpose of a Disaster Recovery Plan?
The purpose of disaster recovery planning is to support critical operations by returning IT systems to full functionality. This should be prioritized based on customer needs, regulatory requirements, and the importance to your organization or the operations that the IT system supports.
You should be able to determine the availability of workaround options compared to work stoppages to do the following:
- Reduce the likelihood or impact of an event through technology and controls
- Maintain minimum mission-critical systems to allow for eventual full restoration
- Recover post-disaster by bringing all systems back online to full operational state
What Does a Disaster Recovery Plan Typically Include?
A disaster recovery plan has many of the same elements of a business continuity plan that need to be documented and defined ahead of time, but there are several key elements that are different. These elements include:
- Business impact analysis
- Assumptions and constraints
- Communication processes
- Data and system backup plan
- Damage and impact assessment
- Response communication and action plan
What Is a Business Impact Analysis?
A business impact analysis is essential for determining and evaluating the effects of an interruption to critical business operations. It assesses a disaster's impact over time and helps establish recovery strategies, priorities, and requirements based on system criticality.
Business leaders and management should be involved in determining the system recovery priorities as this analysis will be used to document the critical systems, document dependencies with other systems, and prioritize the system recovery efforts.
What Is the Importance of Communication Processes and Role Assignments?
Communication is a key process during the recovery effort so recovery teams should understand their roles and responsibilities. A disaster recovery coordinator should be established, along with a backup to this position. These persons will be responsible for coordinating, communicating, and managing staff during the recovery efforts.
An emergency response team should also be documented as these personnel will be responsible for the actual recovery of the systems. They will need to prepare the recovery site for operation, coordinate recovery steps and activities, interface with system vendors, and ensure recovery is complete once systems are restored.
What's Included in the Data Backup Plan and the Response Action Plan?
Disaster preparedness is rooted in an agreed-upon backup strategy that addresses acceptable recovery time and data loss, adequate system redundancy, and sound data restoration processes. The data backup plan details the backup strategy employed to ensure that data is available in order to restore systems during emergency and nonemergency situations.
This plan outlines the backup strategy for all of the critical systems identified in the business impact analysis. The recovery and response action plan provides detailed steps on the recovery procedures that need to be performed in order to restore systems and data. The recovery steps are critical as they will help guide staff in the steps necessary to fully recover a system.
How Do You Test a Disaster Recovery Plan?
Once a plan is in place, perform tests that help verify that it can be properly executed.
What Are the Testing Methods for Disaster Recovery Plans?
Diverse testing methods must be deployed so that multiple scenarios can be addressed and tested. Suggested testing methods include the following:
- Walkthrough testing
- Simulation testing
- Checklist testing
- Full-interruption testing
- Parallel testing
What Are the Benefits of Testing Scenarios for Disaster Recovery Plans?
Testing can be done for several purposes including the following:
- Exercising the recovery processes and procedures
- Familiarizing staff with the recovery process and documentation
- Verifying the effectiveness of the recovery documentation and site
- Establishing if recovery objectives are achievable
- Identifying improvements to the disaster recovery strategy, infrastructure, and recovery processes
We're Here to Help
Emergency preparedness is all about planning, training, and maintaining a supportive culture. To learn more about how your business can organize business continuity and disaster recovery plans and confidently test and execute them, contact your Moss Adams professional.
Source: https://www.mossadams.com/articles/2021/07/business-continuity-and-disaster-recovery-plans
0 Response to "Disaster Recovery Planning Ensuring Business Continuity"
Post a Comment