This question comes up all the time, so let’s answer it right away. While some people may consider them to be the same, here at Layer8 Consulting, we feel Business Continuity Planning (BCP) is the overall process to mitigate risk to the organization and to keep it functioning smoothly. Disaster Recovery (DR) has a narrower focus and pertains to restoring operations and access to resources during an event. DR is typically, but not always, more IT-related. Think of it in terms of your car: if something isn’t running right, you head right to the repair shop to get it fixed – this is DR. Looking at the bigger picture, you should also be doing oil changes & preventative maintenance along with evaluating the life of your current car and when it’s time to buy a new one before it breaks – this is BCP.
BCP activity can be as minimal or as all-encompassing as an organization wishes. However, there are common goals and things to consider for any business continuity plan.
The main goal of a Business Continuity Plan (BCP) is to maintain an organization’s key functions and mitigate risk. A well-designed BCP ensures that an organization is prepared to continue operating at a minimal functional level in the event of an unplanned event.
Which business organization wouldn’t be concerned about having fewer customer-impacting disruptions, recognizing improved customer satisfaction, and having a quicker recovery from a disaster? If you answered any of these three topics, then you will need BCP. In addition to those topics, your cyber insurance carrier will likely rate you lower or may not underwrite an insurance policy until you do have a documented BCP. While you may think you have your own house in order for risk mitigation, there are external threats that, if not considered, could be harmful to your organization. How many organizations did not count on being impacted but were in a huge way by the CrowdStrike incident in July of 2024?
While there are several frameworks and BCP structures out there, all business continuity plans should have the following vital components.
Gartner defines a Business Impact Analysis (BIA) as “the process of determining the criticality of business activities and associated resource requirements to ensure operational resilience and continuity of operations during and after a business disruption.” The primary steps within a BIA are:
The outcome of a BIA will show which business functions are critical to the organization and allow it to prioritize certain business functions over others based on the three considerations of financial, operational, and reputation.
The risk assessment differs from the BIA in that it proactively identifies potential adverse events along with existing vulnerabilities that could lead to the event having an impact on one or more business functions. The risks include natural disasters, infrastructure failures, security breaches, loss of key personnel, etc. An organization can better understand what potential events have the highest impact after considering known vulnerabilities.
The first step of the risk mitigation phase is making a list of preventative measures currently in place that decrease the risk of an event having an even more significant impact. Examples would be UPS units and generators in case of power failure, data backups, redundant infrastructure, etc. The output of the overall BCP process should determine if additional risk mitigation efforts are required beyond what’s currently in place. If a critical business function identified during the business impact analysis phase has a large impact should an event occur and the likelihood of that event happening is high, the organization needs to decide if it’s worth implementing more risk mitigation efforts to reduce the risk to an acceptable level.
Hopefully, the organization has some existing disaster recovery plans in place. One of the outcomes of a successful business continuity plan is developing more efficient and increasingly functional DR procedures that can be documented and tested. While many DR plans are initially created with the intent of recovering IT resources, the organization may discover there are other major dependencies to a critical business function. The DR plan may need to be expanded to cover recovering critical workspaces such as a warehouse or manufacturing site.
The final component of a BCP would be documentation, testing, and personnel training. Many times clients will draft or copy plans as part of an overall effort, only to tuck them away and go back to their daily operational tasks. Other than checking the compliance box that “we have a BCP”, what good is the plan?
The organization should frequently cycle through the documentation, testing, and training phases. It’s extremely rare for DR procedures to be 100% successful on the first few rounds of testing. The portions of the plan that did not work as expected or did not meet the Restore Time Objectives (RTO) must be corrected, the plan documentation updated, the participating personnel trained on the new procedures, and the procedures re-tested. Several iterations of cycling through these three phases should produce a solid BCP that will be effective should an event occur.
Earlier in this article, I mention that one of the compelling reasons to have a solid BCP/DR plan is to be eligible for cybersecurity insurance. In today’s world, the insurance carrier will not only ask you to certify you have BCP & DR plans, but also that they are documented and practiced.
Don’t know where to start with testing? Begin with exercising the plan(s) in a controlled environment using “tabletop” exercises. This is where the organization runs through the documented plan with key stakeholders using an imaginary event scenario. An example would be a fire that has damaged a primary location that impacts critical business functions for an extended period. The stakeholders run through the plan checking to see if the plan procedures work or not. An example of a step requiring improvement might be a department head saying, “I’ll email everyone and tell them about the event”. What if the event impacted the company’s ability to send/receive email? Would all key employees receive the email? What if their laptop was destroyed in the fire?
The three typical impacts to be considered are the following:
The first consideration of business continuity planning is typically, “How much will our revenue be impacted if we have an event?” Having a big and/or prolonged event has put many organizations out of business or severely impacted them.
A close second to financial is operational impact. What if an event slowed your organization’s ability to produce and distribute products? What if the event impacted your customer service teams? Impacts like these create operational issues, which can quickly lead to financial effects.
The third primary consideration is reputation. As a business owner myself, I’ve worked extremely hard to build the reputation we’ve earned today. To think that an event that we could have prevented would tarnish our reputation is unthinkable. Again, the loss of reputation quickly leads to a financial impact.
When considering a services company to assist with your BCP and DR plans, ask the following questions:
Layer8 has created plans for organizations, and yes, we’ve assisted and/or led efforts to recover critical business functions after events have impacted our customers. Give us a call today to see how Layer8 can help you create your business continuity and disaster recovery plans.
We’ll move on to the benefits and details of disaster recovery planning.