Go Pro: Every BCM Practitioner Should Know About DRI’s “Professional Practices”

It’s easy to get lost in the weeds in talking about Business Continuity and IT/Disaster Recovery. For a bird’s-eye view of the field, you might find it helpful to check out Disaster Recovery Institute International’s “Professional Practices.”

Related on MHA Consulting: 10 Useful Business Continuity Planning Resources

There’s one thing almost everyone agrees with about Business Continuity (BC) and IT/Disaster Recovery (IT/DR). There are a lot of details, the content is abstract, and it can be hard to maintain perspective.

Sometimes it helps to go up in a helicopter (so to speak) and survey the scene from altitude.

One of the best high-level overviews of BC and IT/DR that we know of is the Executive Summary of Professional Practices from the Disaster Recovery Institute International (DRI).

In case you’re not familiar with them, DRI is a nonprofit organization based in New York City that provides accreditation to BC professionals and helps organizations around the world do better at business continuity and disaster recovery.

The Professional Practices is their description of the entirety of business continuity and what is required to create a solid program.

The Executive Summary boils this down to the essentials.

We at MHA Consulting make heavy use of DRI’s framework in our work with our client companies. In our view, it’s one of the best overviews anywhere of business continuity best practices and priorities. We think everyone working in BC should know about DRI’s outline.

It’s worth visiting DRI’s site to learn more, but we thought it would be useful to share the Executive Summary with readers of the blog. Here it is (along with links to recent posts on MHA Consulting and BCMMETRICS shining light on each area):

The DRI Professional Practices for Business Continuity Management Objectives

Executive Summary

1. Program Initiation and Management

• Establish the need for a business continuity program.
• Obtain support and funding for the business continuity program.
• Build the organizational framework to support the business continuity program.
• Introduce key concepts, such as program management, risk awareness, identification of critical functions/processes, recovery strategies, training and awareness, and exercising/testing.

At MHA, we believe that project initiation is one of the most important elements in BC/DR planning. You may be knowledgeable about the overall business structure and particular business applications but the plan will require input and assessment from all levels of the organization. Without full organizational support, your plan will be incomplete.

Read More: BC/DR Project initiation

2. Risk Assessment

• Identify risks that can adversely affect an entity’s resources or image.
• Assess risks to determine the potential impacts to the entity, enabling the entity to determine the most effective use of resources to reduce these potential impacts.

3. Business Impact Analysis

• Identify and prioritize the entity’s functions and processes in order to ascertain which ones will have the greatest impact should they not be available.
• Assess the resources required to support the business impact analysis process.
• Analyze the findings to ascertain any gaps between the entity’s requirements and its ability to deliver those requirements.

BIAs and Risk Assessments come together to identify the functional requirements that your program must address. They should be performed and updated on a regular basis and one cannot replace the other.

We recommend that you integrate the two, sharing information whenever possible, and presenting management with a single view that enables them to make more informed business decisions.

Read More: BIA and Risk Assessment: Why Both Are Important

4. Business Continuity Strategies

• Select cost-effective strategies to reduce deficiencies as identified during the risk assessment and business impact analysis processes.

With management support secured and functional requirements identified, your next step is to develop your strategies. You can create an overall strategy, but you might also want to develop individual department strategies for recovery and continued operations during an emergency or outage event. Your recovery strategy does not have to be perfect, but it does need to be good enough. Remember, perfect is the enemy of good.

Read More: When A Good Recovery Strategy is Better than a Perfect Recovery Strategy

5. Incident Response

• Develop and assist with the implementation of an incident management system that defines organizational roles, lines of authority and succession of authority.
• Define requirements to develop and implement the entity’s incident response plan.
• Ensure that incident response is coordinated with outside organizations in a timely and effective manner when appropriate.

The importance of a structured incident response cannot be understated. Having such a system is critical for the protection of your organization since if and when you do face an emergency, your problems can be made significantly worse if your response is hampered by role confusion and poor communication. Sometimes you don’t need to reinvent the wheel, though. In our opinion, the best way to organize your crisis management team and response is to follow the method known as the Incident Command System or ICS.

Read More: Command Performance: Using the Incident Command System (ICS)

6. Plan Development and Implementation

• Document plans to be used during an incident that will enable the entity to continue to function.

This Business Continuity Plan is the aggregate of your planning and analysis processes. It includes various documentation and checklists that allow your organization to continue to function effectively (or to restore business functions) during an emergency event. We’ve created a checklist to help you develop your plan that you can access here.

Read More: Create your complete Business Continuity Plan

7. Awareness and Training Programs

• Establish and maintain training and awareness programs that result in personnel being able to respond to incidents in a calm and efficient manner.

At MHA, we like to think of this as your “Continuity Culture.” Continuity culture is where the practices, habits, and investments of an organization are oriented toward ensuring that their essential functions are resilient and not just recoverable in the face of a disruptive event. When an organization has a good continuity culture business continuity is not a task to be checked off and forgotten about, but an ongoing process that has the steady backing of management and the informed participation of all employees.

Read More: Creating a Continuity Culture: How Your Organization Can Make Business Continuity a Habit

8. Business Continuity Plan Exercise, Assessment, and Maintenance

• Establish an exercise, assessment and maintenance program to maintain a state of readiness.

After you have spent the time needed to develop plans and establish training, your next steps are business continuity and disaster recovery testing, assessment, and maintenance.

  Testing allows you to validate the functional capability and accuracy of your plans, but assessment and maintenance are also critical and are often mishandled by many business continuity programs.

Read More: Business Continuity or Disaster Recovery Testing and Training Guidelines

9. Crisis Communications

• Provide a framework for developing a crisis communications plan.
• Ensure that the crisis communications plan will provide for timely, effective communication with internal and external parties.

By and large, every crisis response operates at two levels: what you do about it, and what you say about it. Most companies now consider a crisis management plan an important part of reputational risk mitigation. Every organization should have a crisis communications plan.

It need not be long or complex, but it should have the input and support of senior management and should be communicated to employees so that they know what to expect when they see their boss on TV.

Read More: Crisis Communications: Managing the Message

10. Coordination with External Agencies

• Establish policies and procedures to coordinate incident response activities with public entities.

There is much to be gained from coordinating your training, exercise, and response activities with external agencies. Experts such as law enforcement officers, data security consultants, your insurer, and public relations professionals can provide valuable insights that will strengthen your plan and better prepare you for a real-life emergency.

Read More: Exercise Smarter: Include 3rd Party Experts In Your Cyber Exercises

There it is, short and sweet—or rather, high and wide: a view of BC from a thousand feet up. We hope it helped you gain perspective on what the main components of business continuity are and how they fit together to protect an organization.

In our next post, we’ll fly back down to earth and get back to our usual work of grappling at ground level with the gremlins of BC.