Author’s note: this piece was updated with fresh information in April 2022. It was originally published in August 2020.
As the saying goes, “stuff” happens, and for most organizations, it’s not if, but when, an unexpected event will threaten to shut down operations. From natural disasters to system crashes, unplanned emergencies can put your business’s processes, data, and future in jeopardy.
Is your organization prepared with a plan and ready to continue operating through a crisis? Can your team recover assets, protect sensitive data, and minimize damage while maintaining compliance? Will your organization remain trustworthy and resilient in the eyes of your customers?
Ensuring that your organization can maintain business continuity and recover from disasters is more challenging than ever. This article will discuss Business Continuity Disaster Recovery (BCDR) and how to protect your business and customers during these trying times.
What is Business Continuity and Disaster Recovery (BCDR)?
Business continuity and disaster recovery (BCDR) refers to the IT and business processes created to ensure that an organization will stay operational during and after a disaster.
Incidents — from floods to ransomware attacks — are inevitable, and depending on the severity, can be quite costly. With this in mind, robust BCDR programs should focus on the steps an organization needs to take in order to protect employees, physical and virtual assets, and customers when a “disaster” occurs.
Why is BCDR Important?
BCDR is critical today for several significant reasons. For one, having a BCDR plan helps organizations function through disasters, saving revenue, and reputation while boosting confidence with customers.
Second, a healthy BCDR plan will ensure the safety and wellbeing of your most valuable organizational resource: your people. Maintaining employee health and safety is the most critical requirement for business continuity and recovery should a disaster strike. Remember, your business success during a crisis rests on your people, so protecting them with a robust safety plan must be a priority.
Third, BCDR plans help protect data. How important is this? According to industry experts at Yeo and Yeo, a top national business advisory firm, “If your business were to ever lose its data, it could likely be catastrophic. Nearly 70% of businesses that lose their data quickly go out of business”.
Fourth, COVID-19 disrupted business operations and forced organizations to adopt a broader view of business continuity. Most BCDR plans include protocols for other assets, yet few consider human resources. The pandemic has forced organizations to change the operational processes, procedures, and tools they use to get work done.
At this time, it’s more important than ever for businesses to have an updated BCDR plan in place that considers a broad range of operational issues, including employee health and safety, remote collaboration, securing corporate and personal devices in a remote work environment, IT service disruptions, and vendor risk.
Developing a BCDR Strategy
Your strategy should center around a plan designed to maintain operations and address the recovery of assets and functions in the aftermath of a disaster. In order to develop a robust and comprehensive BCDR strategy, consider the following:
- Potential disasters your organization could face
- How a disaster could impact your company — operationally, financially, reputationally, or otherwise
- How a disaster could impact your customers
- Processes you already have in place to deal with a disaster
- New processes that need to be built to address and mitigate potential disasters before, during, and after they occur
- Testing that may need to be completed to ensure the success of any BCDR plan
Areas of Coverage In a BCDR Plan
There are a variety of areas that need to be addressed in a comprehensive continuity plan, and what you address depends on your particular organization’s operations. Regardless of your specific circumstances, you need to address the following issues.
Triggers: Create an outline of the events that would set your plan in action.
Leadership: Specify how the leadership team interacts and what happens if a team member is unable to perform their designated role.
Work from home policies: Your organization might have a work from a home policy with specifics around the rules of engagement. However, you may need to re-assess the security policies and access controls you have in place to ensure employees are accessing sensitive data and corporate systems through secure channels from home.
Communications: During a crisis, communication with your employees, customers, and partners is critical. Because of this, it’s vital to outline policies for how you communicate, when you communicate, and what methods of communication you will use.
Teams: In addition to leadership planning, each team leader needs to develop a contingency plan for their team. Outline who will be second in command and what each team member will be responsible for.
Vendor contingency plans: You likely rely on several mission-critical technology providers to run your business. Make sure that you contact each vendor to ask that they provide you with the latest version of their continuity plans.
How to Build a Business Continuity and Disaster Recovery Plan
To form a comprehensive business continuity plan, you’ll need to complete the following steps:
The first step to building out your business continuity plan is to conduct a risk analysis. This should be cross-functional, and it will help identify points-of-failure within your organization and issues that you need to address. We recommend that your organization prioritize the risks based on potential business impact.
There are six major areas of risk that your organization will need to address in an emergency:
- People: How will your business be impacted if a critical individual is unable to continue work due to illness or death? How equipped are you as an organization to conduct business remotely?
- Operational: How will the threat impact the physical operations of your organization? How will the facilities be impacted? Will there be issues with distribution?
- Technical: How will your business be impacted by failures in technology, including technology failures in business-critical applications or technology failures in your own product?
- Security: What security issues are you vulnerable to — either physical or digital — and do you have the right security controls? At this time, it’s particularly important to have appropriate security policies to enable your employees to securely access corporate systems and corporate data from their homes.
- Financial: Can you continue to generate revenue and keep customers happy? Are there financial issues impacting your ability to continue to operate?
- Communications: Do you have contingency plans for communicating with each other, your employees, your customers, and other stakeholders?
Business Impact Analysis (BIA)
A Business Impact Analysis is a critical assessment step that is completed using an Operational Financial Impacts Worksheet to tally the total operational and financial costs of a business disruption event. These costs may include loss of income, increased expenses, regulatory fines, contract penalties, and customer defections. BIA results weigh heavily in the formation of recovery strategies.
These carefully devised backup plans may be the most vital component of a BCDR plan. When operations crash or a pandemic strikes, your organization’s blueprint for replacing critical assets and functions becomes all-important. Organizations design recovery strategies, create manual workarounds, and obsessively backup data to restore business functions to the minimally acceptable levels in the event of a disaster. For example, many organizations maintained operations during the COVID-19 pandemic. One of the main pandemic recovery strategies was establishing work from home policies on safe networks for remote workers. Another strategy was initiating protection protocols like social distancing and masks for those employees who couldn’t work from home.
Resilient organizations work with a well-defined plan, including recovery strategies, to help navigate the entire process, from early response through full incident recovery. According to Deloitte analysis, an organization’s recovery playbook should map the path to six key macro outcomes:
- Recover and grow revenue
- Increase margins and profitability
- Optimize assets, liabilities, and liquidity
- Accelerate digital transformation
- Support the workforce and operating structure
- Manage stakeholder expectations while proactively addressing risks
Plan to Maintain Operations
Maintaining business operations through a crisis isn’t for the faint of heart—or the unprepared. Be ready with a tested plan to stay up and running through turbulent times. Start by conducting a risk assessment and performing a thorough Business Impact Analysis. Identify mission-critical assets and functions, know the recovery strategies for each, and establish a reliable emergency communication channel.
ISO 22301 is the primary standard used for governing business continuity and helping organizations prepare for, respond to, and recover from disastrous events. This guide provides a set of protocols and procedures to plan, implement, monitor, and continually update business continuity management systems. ISO 22313 is an extension of this standard that explains specific regulatory clauses.
ISO 27031 is the primary standard for designing Disaster Recovery plans. It focuses on information and communication technology planning requirements for both data security and organizational operations. ISO 27031 includes the four critical action steps of disaster recovery—planning, doing, checking, acting.
In addition to ISO 22301, there are a few more noteworthy standards for business continuity. ISO 27001 focuses on information security management systems, ISO 22320 discusses incident response prerequisites, and ISO 31000 highlights general risk management and resource allocation with business continuity.
The Importance of Testing Your BCDR Plan
The worst time to discover a flaw in your BCDR plan is during an emergency. Smart organizations continually test and update their BCDR plans, especially in times of rapid change.
Testing methods can start with table-top exercises, where members of each business unit discuss plans and try to identify gaps. Structured walk-throughs go a step further, with team members going through their duties, complete with disaster role play for authenticity. Disaster simulation testing goes all in to replicate emergencies, and nothing is spared to deliver authenticity in these full-scale drills.
BCDR plans are your business’s lifeline during an emergency, so testing should be prioritized throughout the organization. Larger organizations should conduct table-tops quarterly and smaller organizations biannually, while full BCDR field tests should be run yearly by all enterprises. Best practice suggests running disaster recovery tests separately at least twice per year to minimize organizational disruption.
Testing should challenge your plan with the goal of continuous improvement and updated resiliency. Team members should regularly gather to review the plan and adjust as necessary.
Hyperproof Helps Keep Your Business Continuity and Disaster Plan Up to Date
Identify, assess, and prioritize risks
- With Hyperproof’s Risk Register, risk owners from all functions and business units can document their risks and risk treatment plans, and organizations’ leaders can better prioritize risk management activities. So, if/when a disaster occurs, your team can act on a BCDR plan quickly.
Create and maintain a secure and centralized location for BCDR work
- When conducting your business impact analysis (or other processes) as a part of your BCDR plan, you can feel confident that all related documents will be securely stored in Hyperproof’s platform. In addition to this, in Hyperproof it is easy to organize and find documents.
Easily set up and monitor BCDR standards
- Hyperproof comes with a growing library of quickstart framework templates, each featuring requirements and illustrative controls. It’s also easy to upload custom frameworks into Hyperproof. No matter which BCDR standard you’re working to complete (ISO 22301, ISO 27031, ISO27001, etc.), our platform will help you to get it set up quickly and will allow you to continuously monitor progress.
*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Hyperproof Team. Read the original post at: https://hyperproof.io/resource/business-continuity-disaster-recovery/