While it’s universally accepted in the IT and data center world that Backup/Restore as well as Disaster Recovery are critical components of each company’s IT strategy, not every stakeholder is aware of Business Continuity. Data Protection strategies can be looked at like an onion where the inner ring is Backup/Restore, the middle ring is Disaster Recovery and the outer ring is Business Continuity, with each ring adding extra capabilities and business outcomes. So what is it all about, how does it helps and how should you set up your Business Continuity Strategy?
First of all, let’s do a bit of recapitulation:
- Backup/Restore is the discipline that dictates the capabilities, processes and tools necessary to backup production data and subsequently restores data in case of a data loss of any kind
- Disaster Recovery is the discipline that dictates how an enterprise can immediately recover from a disaster (a catastrophic loss or failure of part or all systems at a given facility), how it can recover and which tools/processes need to be used)
Taking it from there, Business Continuity can be defined as the discipline that dictates how an enterprise can continue to operate their business operations in the event of a catastrophic loss/failure. It’s essential to insist on the business attribute of this discipline because it is not so much technical as it is business and process based: in the case of business continuity we must look holistically at the business operations of a company, its environment, locations and people. Disaster Recovery as well as Backup/Restore disciplines are part of the Business Continuity (further shortened as BC) strategy but are only one of the multiple aspects taken into consideration.
Business Continuity’s role: staying in business
A BC strategy should be backed by a Business Continuity Plan (BCP). Because the role of BC is to ensure the continuity of business operations, the plan needs to be laid out taking in consideration the business operations of an enterprise, and not at the server or infrastructure level.
If the target of a BCP is a bank, operations could be for example clearing and payment settlements operations. This would be one stream of the BCP. Under this stream, all of the processes would be listed, and further down the line, the applications supporting these processes and related servers/infrastructure should be mapped. Needless to say, it’s also necessary to map key individuals in the organisation supporting this process, as well as the way they can support the business in case of a critical event.
As this was outlined several times before, the scope of business continuity is to continue doing business even in the case of adverse events. It is up to the business senior management to determine whether it is worth continuing doing business or if it is better to halt business activities. Some regions of the world can be affected by violent demonstrations, civil war situations, natural catastrophes and it is really the business responsibility to weigh all of these factors and incorporate them into the BCP. Same goes for any considerations related to keeping systems up: the BCP should highlight which facilities are to be leveraged to run critical IT systems in the case the primary facilities are lost. Location of secondary facilities, their accessibility through transportation and connectivity need to be assessed – not only from a “business as usual” perspective but also and mainly from a disaster scenario perspective.
The Business Continuity Plan: A Handbook for keeping your business rolling
Here is what needs to be in a BCP:
- must be consistent: mapped to processes
- must assess potential loss/hour for each service/process offered by the company
- must assess the cost of renewing service vs keeping it down
- must understand process interdependencies
- must be clear:
- explain services that must absolutely run vs services who can be renewed later
- provide order to restore services/processes
- identify all key stakeholders/individuals tied to each service/process
- identify who will work from where with which instruments and how they’ll connect to the enterprise network
- provide contingency communication methods for:
- internal communication (employees)
- external communication (customers, suppliers)
- regulatory communication (regulation institutions: national banks, health care institutions etc.)
- must be realistic: if all production sites are destroyed; is there a reason do to business continuity when there is nothing to continue?
In an ideal world, the approach to how we protect our IT systems should be top-down and subject to adhering and supporting business imperatives. While it’s great to have Backup & Restore in place, or even better a Disaster Recovery strategy in place, the optimal effect of both can be achieved only when they are subordinated to a Business Continuity Plan that orchestrates how an enterprise should react to theoretically unforeseen circumstances. A thoroughly laid out and regularly tested Business Continuity Plan is the key to an enterprise resiliency and is often the critical differentiator between remaining in business and having to close doors. It is the utmost responsibility of enterprises to plan for the unforeseen, a well laid out Business Continuity Plan is a proof of maturity towards a company’s shareholders, employees and customers.