If you don’t have a plan, The most important step is to get started building your plan. If you do have a continuity program, the most important step is to make sure it is current, accurate and familiar to those with the responsibility for its execution and for protecting your stakeholders.
Please do not be seduced by the illusion that data backup is a business continuity program, it is not. While it is accurate to say that it represents a data continuity plan, it is a dangerous misconception to think it is a full business continuity program.
The reason? Enterprise risks are not just technology or data related. Active threats, failure events and downtime come in all sizes and degrees of magnitude. Not everything that can take a company down is a fire in the data center or a malware infested server. A mishandled PR event, employee litigation or supply chain disruption can be just as damaging to earnings as a technology failure event. A comprehensive, enterprise business continuity program is the real answer you are looking for.
Just like many other aspects of our daily lives, like seatbelts, fire extinguishers and a napkin at a spaghetti dinner, a business continuity program is something that you don’t need until you need it and then it’s too late.
The intent of business continuity planning is to help your organization demonstrate reasonable care in protecting its stakeholders, proactively avoid recognizable risks and should a disruptive event occur, provide your team with the confidence, resources and processes needed to quickly and effectively manage to the level of need.
Having a plan saves lives, brand value and revenue while reducing legal exposures, compliance deficiencies and open-ended recovery costs … and if that wasn’t good news, the processes improvements and increased efficiencies identified in building a continuity program often far exceed the investment in creating the program.
A: This is a great question as it speaks to terminology confusion that has existed for decades.
While both plans are designed to avoid recognizable risks and maintain operational capabilities should downtime occur, there are key differences, so both terms are not interchangeable.
The business continuity program focuses on sustaining the company’s business activities, particularly those related to revenue generation, workforce protection and management of corporate obligations. It also documents and process enables systems, plans and leadership skills the company can use in the response, restoration, and recovery phases of any emergency related activities.
A disaster recovery plan is focused on the technology needs of a company during an emergency. By design it documents, and process enables technology support efforts necessary to protect and restore technology systems within predefined times that support the business mission and minimize the impact and cost of downtime when it occurs.
No, however they are two sides of the same “cause & effect” coin.
Both steps are necessary to prioritize recovery efforts, resource assignments and budget allocations to protect and preserve the company’s most vulnerable and time sensitive operations
A risk assessment identifies causality, qualifying the probability of threats and vulnerabilities to a company, and helping to prioritize risk mitigation and restoration efforts.
A business impact analysis (BIA) is focused on quantifying the impact and loss potential to a company if any significant business function or department is unavailable for any reason. Since a BIA is not a mitigation or continuity strategy effort, the process is not too concerned with cause … just the impact of hard and soft losses based in dollars and performance.
No, you do not need to invest in software to get your program in place. In fact, I’m of the opinion that it’s better to build the program without software. Then once the plan is created, implement a cost-effective software program to add a layer of availability to your plan and to make maintenance and future updates easier.