What Is BCDR? Business Continuity and Disaster Recovery

As threats to business increase, business continuity and disaster recovery (BCDR) have emerged as critical aspects of business planning and business resilience. What is business continuity and disaster recovery, though?

The subsequent article covers what you need to know and how to leverage elements of business continuity and disaster recovery to prepare your business for inevitable disruption.

What is business continuity management?

Let’s start with the terms themselves. What is business continuity management (BCM)?

Well, business continuity management is the process of identifying potential threats to an organization and the impacts to business operations those threats, if realized, might cause as well as providing a framework for building organizational resilience with the capability of an effective response that safeguards the interests of the organization’s key stakeholders, reputation, brand, and value-creating activities.

What is disaster recovery?

Disaster recovery is part of business continuity. It deals with the immediate impact of an event, e.g., recovering from a server outage, security breach, or hurricane.

Disaster recovery tends to involve discreet planning steps, all aiming at stopping the effects of the disaster as quickly as possible and addressing its immediate aftermath.

What risks do Business Continuity and Disaster Recovery prepare you for?

BCDR focuses on the steps needed to continue the delivery of products or services at acceptable predefined levels following a disruptive incident. But what specific types of incidents do Business Continuity and Disaster Recovery prepare you for?

The types of incidents include:

• Power outage. Disruption in the supply of electricity. Typically resulting in loss of power to homes, businesses, or other facilities.
• Data breaches. Any security incident that results in unauthorized access to confidential information.
• Supply chain disruption. An interruption in the flow or process that involves any of the entities associated with the production, sales, and distribution of specific goods or services.
• Epidemic. An unexpected increase in the number of disease cases in a specific geographical area.
• Cyber attacks. Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.
• Natural disaster. Any dangerous meteorological phenomenon with the potential to cause damage, serious social disruption, or loss of human life.
• Non-compliance. When a company fails to follow the policies, standards, regulations, or laws that apply to its operations. 

How to develop a Business Continuity and Disaster Recovery capability?

How to ensure you are prepared for these types of business continuity risk and more? A key framework for developing a BCDR capability at your organization is following the business continuity lifecycle.

Stages of the business continuity lifecycle

That lifecycle includes the following stages:

Impact analysis

At the intersection of continuity planning and risk management lies the business impact analysis (BIA), the first stage of the business continuity lifecycle.

A diagnostic of a business’s internal dependencies and vulnerabilities, the business impact analysis provides the analytical baseline for developing planning materials and battle-readying continuity management systems and processes.

In essence, the BIA acts as the dashboard for asset protection and recovery action prioritization, keeping everyone from the CEO to the doorman on the same page, should disruption occur – after all, a lot goes into moving a product, from internal dependencies, like employee availability, corporate assets, and support services, as well as external dependencies, like suppliers.

A good BIA offers senior management a bird’s eye view of the critical business activities that generate the most money or benefits to the organization, how badly those activities would be impacted by a disruption, as well as insight into the pathways by which impact would possibly take place.

It’s these interdependencies that the business impact analysis is particularly focused on identifying and quantifying, with the analysis itself serving as a prerequisite for an informed prioritization of assets to protect and the relevant recovery actions to initiate in the case of an emergency.

So how do organizations identify these interdependencies, and what’s the best way to quantify the risks inherent in them? Well, the process for developing a BIA often takes the form of workshops or questionnaires. Interview staff from across the organization identify internal and external dependencies critical to their unit’s operations, before quantifying the business impact that will happen if these operations are halted.

Such analysis is oriented towards critical indicators that summarize the ‘breaking point’ for a business’s operations: the maximum amount of damage an operation can sustain before the business is functionally dead in the water, i.e. maximum acceptable outage, and the resources that would be required to return operations back to functional, i.e. strategies for recovery.

This process surfaces recovery requirements that are then used to develop strategies, solutions, and plans for the business’s unique vulnerabilities. At the end of the day, a BIA can be described simply as a stock-taking exercise of where a business’s vulnerabilities lie, and a quantification of how bad things would have to get before the whole business gets dragged under water.

Design

The data from the impact analysis informs the design of your BCDR strategy, the second stage of the lifecycle.

This stage, as the name implies, focuses on the concrete strategies the business will implement to meet the requirements that come out of the impact analysis stage.

Assets that come out of this stage include:

• Recovery strategy.
• Resource prioritization strategy.
• Documentation of the crisis communication plan and the BCP

Implementation

Implementation is where the rubber hits the road for Business Continuity and Disaster Recovery. This is the stage where the various strategies developed in the design phase are put into practice, often through the development of the business continuity plan itself (More below).

The plan itself represents the sum of documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruption.

Testing

Of course, that paln must be tested and validated, bringing us to the fourth stage of the lifecycle. Testing, here, refers to the procedure for evaluation.

The purpose of testing BCDR procedures is to validate that they are consistent with BCDR objectives. To ensure that happens, testing must accomplish the following:

• Be consistent with the scope and objectives of the management system
• Be based on appropriate scenarios that are well planned with clearly defined aims and objectives
• Validate whole BCDR arrangements, involving relevant interested parties
• Minimize the risk of disruption of operations
• Produce formalized post-exercise reports that contain outcomes, recommendations, and actions to implement improvements
• Be reviewed within the context of promoting continual improvement
• Be conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates

Maintenance

However, the testing stage isn’t the end of the story. The penultimate stage of the lifecycle is maintenance.

Far from a static stage, though, maintenance is intended to keep aspects of the management system in alignment with business imperatives and updated with regards to the business risk environment.

As a result, businesses need a plan of attack to ensure this maintenance stage is rigorous. The following should, therefore, be agreed upon ahead of time:

• What needs to be monitored and measured
• The methods for monitoring, measurement, analysis, and evaluation
• When the monitoring and measuring shall be performed
• When the results from monitoring and measurement shall be analyzed and evaluated

How might companies conduct maintenance exercises? Internal audits are one way in which companies conduct evaluations of their BCDR procedures and capabilities to ensure continuing suitability, adequacy, and effectiveness.

And it should be senior management that’s responsible for conducting these reviews. After all, senior management can properly evaluate the management within the context of salient changes to the internal and external risk environment.

Improvement

For the organization to continually improve the suitability, adequacy, or effectiveness of its management system, more than just maintenance will be needed. Indeed, the maintenance stage is set up to yield information on BCDR performance, including trends in nonconformities and corrective actions. Understanding these trends is crucial to improving the management system, which makes improvement the final stage of the lifecycle.

But what does this stage look like in practice? It includes the following steps:

• Identification of nonconformity
• Reaction to nonconformity, e.g., taking action to control or correct it
• Evaluation of the need to eliminate the causes of nonconformity
• Implementation of any action needed
• Review of the corrective action taken
• Changes to the management system (if necessary)

What is the business continuity and disaster recovery plan?

The business continuity and disaster recovery plan consists of documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruption.

The contents of the BIA, as noted above, get fed into this plan. Putting together the actual plan usually falls to a governance committee.

Here, C-suite involvement is critical. Most BCDR governing committees are headed by an executive sponsor. That sponsor is nominally responsible for initiating, approving, auditing, overseeing, and testing the plan.

Meanwhile, day-to-day management falls to a BCDR coordinator. Depending on the size of the company, that coordinator might have a dedicated staff. Other in-house members of the committee include a senior security officer, the CIO (given the centrality of IT systems to business continuity), and senior representatives from the remaining business units.^[i]

Plans can take different forms, usually, however, the following elements are present:

• A list of relevant company, insurance, and supplier contacts.
• References. Helpful information might include links to the appropriate state and federal regulator, e.g. Emergency Management Australia.
• Relevant standards with which the plan complies, e.g. ISO 22301.
• Organizing objectives and driving principles. The primary objective of your plan is to ensure maximum possible services levels are maintained. Meanwhile, assessing business risk for probability and impact might also be an important principle to document.
• The objectives and principles sections might be part of a longer executive summary, a comprehensive overview of the BCP.^[ii]
• The contents of the BIA, including a list of likely threats, i.e. building loss, document(s) loss, systems going offline, loss of key staff, etc.
• Scenario planning for the risks you’ve identified. Once a risk is listed, the plan will outline probability and impact of occurrence, likeliest scenario(s) to unfold, business functions affected, actions to take and preventative mitigation strategies, staff responsibilities, as well as operational constraints.

The importance of digital software in business continuity and disaster recovery

Another important element in building a BCDR capability is having the right tools and resources to perform activities like running a BIA, preparing a business continuity and disaster recovery plan, or trainings and exercises.

Here, business continuity software, in particular, can help. Such solutions enable organizations to be prepared for adverse events and disruptions and stay ahead of the curve, with streamlined, integrated, and automated business continuity management that facilitates engagement and collaboration across all stakeholders and ensures a unified approach to resilience.

Which functionality serve to keep the BCDR capability running? Consider the following:

• In-built BIA tools simplify the business impact analysis process, drive engagement across the organization, and guide teams through the process step-by-step, ensuring BIAs are rich with insightful data to help organizations truly understand how their business works and where their risks lie.
• Digitization helps replace paper-based, static business continuity plans with dynamic business continuity plans that ensure plans are always up-to-date and quickly available for all your users, on any device.
• Exercise management functionality keeps teams prepared to handle any situation that comes their way.

Of course, business continuity platforms like Noggin do more to automate the BCDR function than that. What else? Request a demo to see for yourself.

[i] Government of Canada, Public Safety Canada: A Guide to Business Continuity Planning. Available at https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/bsnss-cntnt-plnnng/index-en.aspx.

[ii] Queensland Government, Business Queensland: What’s in a business continuity plan? Available at https://www.business.qld.gov.au/running-business/protecting-business/risk-management/continuity-planning/plan.