imtmphoto - Fotolia
The time to plan a response to a crisis is before one hits. CIOs who wait for one to occur set themselves up for a long, uphill battle.
While CIOs will most likely have a team in place that is responsible for maintaining and testing one or more technology disaster recovery (DR) plans, they're also likely to be an integral part of implementing an IT business continuity (BC) plan, especially in the wake of the COVID-19 pandemic.
What is an IT business continuity plan?
BC plans differ from DR plans in that they focus on protecting the entire organization, with IT as a key enabling resource, whereas DR plans typically focus on protecting the overall IT infrastructure. BC plans have several inputs that contribute data on how the business operates. These include a business impact analysis (BIA), a risk analysis and a definition of recovery strategies for the business elements that have been identified as mission-critical.
What's in a BC plan?
A typical BC plan includes the following:
- statements on the purpose, scope and objectives of the BC plan;
- identification of mission-critical business activities for the organization;
- potential losses to the organization if those functions cannot be performed;
- risks, threats and vulnerabilities to critical functions and measures to prevent their occurrence;
- strategies and procedures for responding to disruptive events and recovering critical functions;
- contact lists for important internal and external contacts -- i.e., vendors and government agencies;
- inventories of critical records, such as customer records, hard-copy documents and legal documents, and where they are stored;
- inventories of critical business resources, including office equipment, furniture and systems;
- floor plans of typical office areas in case of relocation to alternate space;
- succession plans to ensure suitably trained employees can take over duties of employees who are unavailable due to health, vacations, etc.;
- procedures for dealing with the media;
- procedures for interacting with key organizations, such as banks, insurance firms and utilities;
- procedures for responding to the initial stages of the event -- also known as the incident response;
- procedures for transitioning from incident response to business recovery;
- procedures for transitioning employees from disaster mode to business mode;
- procedures for ensuring that IT resources are operational;
- procedures for resuming normal business operations; and
- procedures for preparing after-action reports summarizing lessons learned from the event.
Guidance for preparing BC plans is available from many sources, including international and domestic standards, industry-specific guidelines, technical reports, training programs and a wide variety of software products.
Why is a BC plan so important?
Perhaps no better reason currently exists for having a BC plan than the COVID-19 pandemic. It's also just as important for companies an organization is working with, as BC plans demonstrate the organization's commitment to protecting the business and keeping it operational, despite the potential for disruptive events.
From an audit perspective, BC plans are increasingly vital for performing audit controls. Internal and external auditors are more familiar with BC plans -- and technology DR plans -- than in previous years, so for CIOs, they must recognize the importance of these documents, even if they are not formally tasked with leading a BC plan initiative.
Experience has shown that enacting BC and DR plans increases the likelihood of an organization successfully recovering from a disruptive event and resuming operations. Simply knowing what to do in an emergency can greatly improve the organization's chances of a successful recovery. This is especially true when responding to IT infrastructure disruptions.
IT's role in BC plan development
IT infrastructure underpins most business-critical functions, so one of the first things IT should do when developing a BC plan is to map the relationship between technology resources and business functions. One of the most important outputs from a BIA is identification of IT resources that support mission-critical functions, as there are two metrics that result from it: recovery time objective (RTO) and recovery point objective (RPO).
- RTO defines the maximum time needed for specific business functions to be disabled before the organization experiences losses. For IT, this means the maximum amount of time specific systems and resources are disabled before the business suffers. A general rule of thumb for RTOs and RPOs is: the shorter the time frame, the greater potential investment to achieve that metric.
- RPO is also significant in terms of how current data, databases and other resources must be in terms of when the resources were last backed up. Customer personal data, for example, may be critical to an organization's business. Such data should be backed up more frequently than other resources, and ensuring that low RPOs -- i.e., under 1 hour or under 5 minutes -- can be maintained requires investments in more sophisticated data mirroring or replication technologies, as well as increased data storage capacity.