It’s easy to get lost in the weeds in talking about Business Continuity and IT/Disaster Recovery. For a bird’s-eye view of the field, you might find it helpful to check out Disaster Recovery Institute International’s “Professional Practices.”
There’s one thing almost everyone agrees with about Business Continuity (BC) and IT/Disaster Recovery (IT/DR). There are a lot of details, the content is abstract, and it can be hard to maintain perspective.
Sometimes it helps to go up in a helicopter (so to speak) and survey the scene from altitude.
One of the best high-level overviews of BC and IT/DR that we know of is the Executive Summary of Professional Practices from the Disaster Recovery Institute International (DRI).
In case you’re not familiar with them, DRI is a nonprofit organization based in New York City that provides accreditation to BC professionals and helps organizations around the world do better at business continuity and disaster recovery.
The Professional Practices is their description of the entirety of business continuity and what is required to create a solid program. The Executive Summary boils this down to the essentials.
We at MHA Consulting make heavy use of DRI’s framework in our work with our client companies. In our view, it’s one of the best overviews anywhere of business continuity best practices and priorities. We think everyone working in BC should know about DRI’s outline.
It’s worth visiting DRI’s site to learn more, but we thought it would be useful to share the Executive Summary with readers of the blog. Here it is (along with links to recent posts on MHA Consulting and BCMMETRICS shining light on each area):
The DRI Professional Practices for Business Continuity Management Objectives
At MHA, we believe that project initiation is one of the most important elements in BC/DR planning. You may be knowledgeable about the overall business structure and particular business applications but the plan will require input and assessment from all levels of the organization. Without full organizational support, your plan will be incomplete.
Read More: BC/DR Project initiation
BIAs and Risk Assessments come together to identify the functional requirements that your program must address. They should be performed and updated on a regular basis and one cannot replace the other. We recommend that you integrate the two, sharing information whenever possible, and presenting management with a single view that enables them to make more informed business decisions.
With management support secured and functional requirements identified, your next step is to develop your strategies. You can create an overall strategy, but you might also want to develop individual department strategies for recovery and continued operations during an emergency or outage event. Your recovery strategy does not have to be perfect, but it does need to be good enough. Remember, perfect is the enemy of good.
The importance of a structured incident response cannot be understated. Having such a system is critical for the protection of your organization since if and when you do face an emergency, your problems can be made significantly worse if your response is hampered by role confusion and poor communication. Sometimes you don’t need to reinvent the wheel, though. In our opinion, the best way to organize your crisis management team and response is to follow the method known as the Incident Command System or ICS.
This Business Continuity Plan is the aggregate of your planning and analysis processes. It includes various documentation and checklists that allow your organization to continue to function effectively (or to restore business functions) during an emergency event. We’ve created a checklist to help you develop your plan that you can access here.
At MHA, we like to think of this as your “Continuity Culture.” Continuity culture is where the practices, habits, and investments of an organization are oriented toward ensuring that their essential functions are resilient and not just recoverable in the face of a disruptive event. When an organization has a good continuity culture business continuity is not a task to be checked off and forgotten about, but an ongoing process that has the steady backing of management and the informed participation of all employees.
After you have spent the time needed to develop plans and establish training, your next steps are business continuity and disaster recovery testing, assessment, and maintenance. Testing allows you to validate the functional capability and accuracy of your plans, but assessment and maintenance are also critical and are often mishandled by many business continuity programs.
By and large, every crisis response operates at two levels: what you do about it, and what you say about it. Most companies now consider a crisis management plan an important part of reputational risk mitigation. Every organization should have a crisis communications plan. It need not be long or complex, but it should have the input and support of senior management and should be communicated to employees so that they know what to expect when they see their boss on TV.
Read More: Crisis Communications: Managing the Message
There is much to be gained from coordinating your training, exercise, and response activities with external agencies. Experts such as law enforcement officers, data security consultants, your insurer, and public relations professionals can provide valuable insights that will strengthen your plan and better prepare you for a real-life emergency.
There it is, short and sweet—or rather, high and wide: a view of BC from a thousand feet up. We hope it helped you gain perspective on what the main components of business continuity are and how they fit together to protect an organization.
In our next post, we’ll fly back down to earth and get back to our usual work of grappling at ground level with the gremlins of BC.