IT Focus Area: BC/DR
May 22, 2013
4 Key Components of a Successful Business Continuity and Disaster Recovery Program
As illustrated by the devastation of Hurricane Sandy in 2012 when countless businesses were without power and data centers went down, it’s becoming increasingly important to have a well-conceived business continuity and disaster recovery (BC/DR) program in place.
Remember, there is a difference between a BC/DR program and a BC/DR plan. A program is a set of policies, practices and responsibilities that provide the structure for management, governance and sustainability to accomplish the goals. A plan is a documented set of action-oriented tasks and procedures to be followed when a disruptive event occurs or is imminent. In this article, we are going to discuss the key success factors of a successful BC/DR program.
There are four key components that stand out. A successful BC/DR program should be:
A continuity program requires sponsorship—support, involvement and funding—from the executive management team. Frankly, writing a memo or committing to the auditors (or the board) is not enough. Senior leaders must be involved in implementing and maintaining the program, as appropriate to their respective roles, and the program must have the necessary funds to satisfy the mission and vision statements.
Recovery plan development, maintenance, and exercises are the responsibility of the manager of the unit the plan covers. The BC/DR professional is assigned ownership of the program, but the unit manager is the owner of the plan. Organizations with successful programs hold managers accountable. BC/DR responsibilities are included in job descriptions and performance evaluations. Reporting processes are truthful about which departments are doing what is expected of them and those reports are published up the chain of command.
Continuity planning is impact driven. Standards for plan content, updates and exercises should be prioritized relative to the degree of impact a business interruption may have on business operations, finances and/or regulatory compliance. No organization can afford to dedicate unlimited resources to BC/DR activities. Successful programs have standards that focus more attention on those areas of the organization that pose the greater risk. For example: financial institutions that have higher-quality programs require more BC/DR attention from groups like wire transfer, deposits, and loans than from the internal training department, because the outage impact has a greater impact on the company.
The continuity program is a continuous process requiring regular review, planning, and updating commensurate with the degree of change within a facility, business unit, or system. Impacts on continuity planning should be considered when modifications occur to a facility, business unit or system. The days of filling large three-ring binders with documentation of what you would do in a disaster and putting them on the shelf until the auditor asks for them are long gone. BC/DR programs are intended to protect the business. The business changes over time. Successful programs are reviewed and modified as the business environment changes. Such changes include alterations to the office space and location, operational workflow and the IT services used to support the business. It is recommended that programs be reviewed annually, at the minimum.
BC/DR program goal: keep the business operational
Additional elements common among successful BC/DR programs include a focus on customers’ needs, risk mitigation, communications, building partnerships and more. Unless a program achieves the fundamentals of being sponsored, accountable, prioritized and continuous, its ultimate purpose—to keep the business running—is more difficult to achieve.