A Business Continuity and Disaster Recovery Checklist
As business processes and their supporting Information Technology (IT) systems become more important to public and private entities, the requirements for an effective Business Continuity/Disaster Recovery (BC/DR) program are becoming more critical. There are many factors to consider when developing an effective BC/DR program. The checklist below can help you get started.
First, high-level definitions:
Business Continuity and Disaster Recovery Program: The overall package; includes everything from the governing policy to periodic testing
Business Continuity Plan: A formalized set of steps that define how an organization’s business processes will be sustained during and after a significant incident
IT Disaster Recovery Plan: A written plan with detailed steps for recovering critical business applications in the event of a major hardware or software failure or the unavailability of facilities
Cold Site: An alternate site that has the necessary electrical and physical components of a computer and/or business facility but does not have the computer equipment or other business requirements in place; to facilitate a cold site, contracts with third-party suppliers would need to be in place for rapid delivery (typical recovery timeline: three to five days)
Warm Site: An alternate site that has the necessary electrical and physical components of a computer facility and is partially equipped with IT and telecommunications equipment to support relocated IT and business operations in the event of a significant incident (typical recovery timeline: two to three days)
Hot Site: An alternate site that is fully operational and equipped with hardware, software, replicated data, and/or business equipment to be used in the event of a disaster (typical recovery timeline: within hours)
So why should you implement a BC/DR program? Three key reasons:
- A major incident/outage of system could have a massive impact on the business if there’s no BC/DR program in place.
- When a disaster occurs, a BC/DR program with a formal process helps you avoid business failure.
- Effective backup and recovery strategies will mitigate the impact of disruptive events.
Plus there are numerous business outcomes from an effective BC/DR program. You can:
- Build a partnership between business units and IT to develop a set of plans and procedures that will maximize the potential of an effective and timely resumption of disrupted critical business processes.
- Coordinate BC planning and IT recovery planning programs on an ongoing basis.
- Minimize potential disruptions.
- Mitigate financial and operational impacts to the business if a major incident occurs at an occupied facility.
- Effectively utilize all available resources for recovery—including facilities, personnel, communications, equipment, and supplies.
The BC/DR Checklist
For a BC/DR program to be effective, it should include the following:
- Business Impact Analysis (BIA) and IT Risk Assessment (R/A). The BIAs and R/As are required to identify and prioritize critical business processes, supporting IT systems, and other components. The BIA and R/A are crucial steps to ensure that efforts are being spent on truly critical business areas.
- Continuity and Recovery Policy Statement and Standards. A formal policy provides the governance, guidance, and requirements necessary to manage an effective BC/DR program. Formal recovery standards define the minimum required for items such as tape backup, hard copy backup, crisis management, application development, and training.
- Preventive Measures. Actions taken in advance to reduce the effects of incidents can also increase system availability and reduce BC/DR lifecycle costs.
- Business Continuity Plan. The business continuity plan describes the steps the business will follow to recover quickly and effectively following an incident.
- IT Disaster Recovery Plan. The IT disaster recovery plan contains detailed steps and procedures for recovering damaged or unavailable IT systems.
- Application Recovery Procedures. The application recovery procedures should be detailed enough that any experienced IT person can recover the business applications. This reduces the need for the on-site support of application programmers, database managers, etc., for recovery. It also allows for the use of third-party providers to recover for you, with minimal knowledge of your systems.
- Plan Maintenance. All plans should be thought of as “living documents” and, as such, should be updated and recertified regularly to remain current with facility and system enhancements.
- Plan Testing and Training Exercises. Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall preparedness.
If you take the time and effort to implement a BC/DR program, you will be better situated to either head off or respond to major incidents that impact your ability to sustain your business.