Businesses are critically dependent on information and the technology used to collect, process, and deliver the information. From customer and supplier data to financial and operational data, businesses generate an enormous amount of information necessary to run the organization.
But what happens when businesses lose crucial data due to a disaster? The US Bureau of Labor and the Archives & Records Administration in Washington reported that 93% of businesses fail within a few years of a major data catastrophe. That is an astounding number and one that all business owners must consider to adequately assess business risk.
Data disasters are typically classified into two categories - natural and human-induced. Natural disasters include floods, tornados, natural fires or other environmental causes, and only constitute about 1% of data catastrophes.
Human-induced disasters including negligence, errors or failure of something made by humans, are responsible for 99% of business data loss. Negligence and errors cause about 14% of the disasters, while hardware and software failures combined cause 85% of data loss.
A Disaster Recovery Plan (DRP) is a plan to protect an organization's data and IT infrastructure in the event of a disruption, and is a necessary component in minimizing business data loss or other negative impact from a data catastrophe.
A DRP is a set of controls that defines the processes to reestablish data, infrastructure and communications in an emergency situation to keep the business operational. Three main controls defined as part of a DRP are the preventive, detective and corrective measures to ensure proper actions are completed based on triggering events. The DRP is documented and tested on a predetermined basis.
The DRP is actually a subset plan of a Business Continuity Plan (BCP). The BCP is a logistical plan that clearly defines how a business will recover operations in the event of a natural or man-made disaster. A BCP is a prerequisite element to include as part of a successful business plan.
Failure to identify, plan and manage business risk - including business operations and business data - is a recipe for disaster. A disturbing example is the 9/11 tragedy. One hundred fifty of the 350 businesses impacted by the terrorist attacks in New York City never reopened after the disaster. The affected businesses that established and implemented a comprehensive BCP prior to the disaster were up and running within days.
Regardless of the primary cause of a disaster, it is possible to have a BCP that details the steps necessary to continue business functions. There are many resources available that describe the process to develop a BCP. A standard process-driven approach should include multiple phases:
Requirements and Strategy - Business impact analysis - Risk assessment - Define recovery options - Select recovery options
Implementation - Build plan - Test plan
Once the BCP is established, organizations must engage in on-going efforts to maintain the BCP in a state of continued reliability and usability:
Assess the current state of readiness to determine if business requirements are being met and, if necessary, make improvements to meet the requirements
Review and implement operational management processes and the appropriate controls to ensure that the plan stays fresh and is always ready to use.
Businesses should engage in appropriate Operational Management processes to keep the BCP up to date and in alignment with current business requirements. A well defined and implemented process, complimented by regular audits, helps insure plan readiness.
The following processes should be tailored to unique requirements of each business, and are standard components of an ongoing risk management program.
Education and Awareness: Ensure that all employees are aware of the implications of the Business Continuity Plan and IT Disaster Recovery Plan, and consider this part of normal business routine and budget.
Review and Audit: Perform regular reviews of all continuity plan deliverables to ensure that components are current and up to date.
Testing: Establish a program of regular testing to ensure that the critical components of the plan are tested at least annually or as determined by management. Testing will validate that the plan is actually ready.
Change Management: In response to day to day changes, update and manage continuity plans to ensure that changes to the business or IT Infrastructure are reflected appropriately in the plans.
Training: Train all team members to effectively execute the recovery plan.
A thoroughly documented, dynamic and tested BCP & DRP will minimize business impact in the event of any disruption. It is a self-designed insurance plan for the business that will pay big dividends if the unthinkable should occur.