These days, many organizations still lack training and awareness about the need for Business Continuity Planning (BCP). As explained in a recent post by Continuity Central (a continuity news and information source) on its website, CP is “what guide[s] the organization through all phases of response and recovery following the onset of a disruptive incident – from the initial response and assessment to the eventual return to normal operations.” Continuity implies that the activities and resources that follow the adverse consequences of incidents and disasters have minimal downtime.
Organizations that do not prepare a CP document, identifying actions in the form of roles and responsibilities and outlining steps and procedures are not able to meet CP objectives. For one, they cannot assure critical business processes will be sufficiently resilient to continue operating effectively despite incidents. Applying BCP will do nothing to avoid, prevent or mitigate incidents that occur, but will address operational issues and Business Resumption (BR) matters from the resilience/availability perspective. Adequate data recovery should also be considered (i.e., to secure on- and off-site storage of backup media) to preserve data.
Generally, to achieve a better understanding of firms’ preparedness, structure and stability in the event of a business interruption or catastrophe, it is essential to have knowledge of critical business processes and priorities. Only then, one will be able to design and develop realistic IT CP/BR/DR reporting that includes ways to save data and maintain business operations, for example.
Overall, the scope of BC planning is to evaluate resilience and recovery capabilities and risks inherent in the IT infrastructure. Those that put it to use will be prepared for unforeseen stakes to continue/resume operations in the aftermath of a crisis. One cannot stress enough about the importance of planning and preparation, which are key to all CP-related activities. A CP-related plan is the essential source to turn to (other than the IT BC and DR Managers) to help business users, to some extent, deal with and get through crisis conditions or incidents (such as interruptions of power or telecommunications services).
Businesses of all sizes can do many things to deal with minor outages, or other information security incidents to mitigate their risks: from implementing safeguards and procedures designed to mitigate those risks to being able to assess the potential impact of the disruption of mission-critical systems/processes. The IT BC/BR/DR-related plans are to correspond to CP-related policies, standards, procedures and guidelines that are brought into play to make this all possible. Therefore, it is in one’s best interest to invest in business continuity and be prepared in the event of a disaster, natural or man-made.
The Continuity Central post “explores different types of plans and examines their purpose within a wider business continuity strategy.” The article looks at the following plans and the function they serve:
The crisis/incident management plan: It provides a structured response to a disruptive incident that allows participants (that are sufficiently trained and prepared) to work through an emergency before it threatens the survivability of the organization; it outlines their roles and responsibilities in carrying out fundamental tasks that respond to and recover from a crisis. In particular, such a plan manages incidents and disaster scenarios during or following a major incident.
A crisis communications plan: “[It] serves to supplement crisis management activities by coordinating two-way communications with key internal and external interested parties,” as the post explains. It helps “increase the timeliness of messaging and feedback by providing a framework that defines who (to communicate with), how (to deliver the message or receive information), and what (to say).”
A business continuity plan: It is similar to a crisis management plan in some ways, but BCP involves measures to ensure the continuity of critical business functions, recovery, resumption to support the organization’s products and services at the onset of a disruptive incident.
The disaster recovery plan: It relates to recovering IT operations following incidents and disasters. As well, it involves planning (including step-by-step procedures) for the retrieval of critical IT systems and services in a fallback situation. It draws attention to the value of data backup.
In sum, each of the four types of plans presented offer some sort of strategy for several types of event scenarios that may occur; they are available for organizations to follow, if they wish. As it is impossible to predict the future, it’s always better to have such plans ready to protect assets from the impact of disruptive events.