The Ultimate Guide to Business Continuity and Disaster Recovery (BCDR)
Events of the past few years have proven that disruption may hit unexpectedly at any time. It has been a stark reminder of companies worldwide’s importance on emergency preparedness.
Table of Contents
Still, in the age of speed, MSPs have little to no time for downtime, as stakeholders everywhere know they have many options from which to choose. This puts significant pressure on organizations that always need their MSP to have a solid go-to business continuity plan and a disaster recovery strategy.
This is where Business Continuity and Disaster Recovery (BCDR) comes in. It is the discipline that helps businesses manage disruptive events. In this material, we will walk you through everything you need to know about BCDR and its benefits, how to prepare your disaster documentation and procedures, and how to choose the best business continuity and disaster recovery software for your company.
What is business continuity and disaster recovery (BCDR)?
Business Continuity and Disaster Recovery (BCDR) represents a set of approaches and processes which enable organizations to continue their business operations and recover from a potential disaster, resuming their routines. In this context, “disaster” may refer to natural disasters and calamities, outages of natural gas and other resources, disruptions associated with power failure, employee negligence or maleficent activities, accidental data deletion, cyberattacks, or hardware issues.
By combining Business Continuity (BC) and Disaster Recovery (DR) techniques, organizations may reduce risks and ensure that, if disruptions occur, they have the resources and strategies to restore normal operations and reduce their recovery times to the maximum.
Moreover, this combination of business and IT functionalities confirms the need to develop collaborative plans for incident response. This is the most efficient way to ensure your MSP reduces data loss risks and becomes more stable and robust when confronted with emergencies. Such a complex 360 degrees approach builds trust and reputation among stakeholders.
Business Continuity explained
As defined by the Business Continuity Institute, BC covers strategic and tactical techniques through which organizations may prepare for and respond to major incidents and business disruptions to ensure they continue their operations within acceptable parameters.
This approach enables organizations to deliver critical business goals during and after a disaster. To do so, BC focuses on different key pillars, such as human resources, communications channels, stakeholder relations (vendors, business partners, authorities), technology infrastructure, and operational infrastructure.
Disaster Recovery explained
Unlike Business Continuity, which is considered proactive, Disaster Recovery is reactive because it focuses on the steps necessary to resume business operations, reduce downtime and ensure crucial support systems get back running with minimal loss. Depending on the severity of the disaster, you might deploy DR seconds or days from the incident.
Disaster Recovery focuses on how MSPs recover their client data after the disaster, often heavily involving IT teams, systems, and processes. The Disaster Recovery Journal defines DR as the process, policies, and procedures that prepare organizations to recover or continue vital IT infrastructure, systems, and apps after a disaster or outage.
Business Continuity and Disaster Recovery are parts of an organization’s risk management strategy. It is only together that the two can mitigate a potential disaster’s operational and business impact. This is why BCDR strategies should be treated as a whole, covering specific procedures and strategies that help companies to recover after crises.
What is a business continuity plan (BCP)?
A business continuity plan (BCP) is a document that emphasizes the key factors that an organization needs to resume operations in case of a disaster scenario. It includes a risk assessment that showcases what might impact an organization’s operations and a business impact analysis. The approach enables the BCP team to point out the systems and critical functions that need to be sustained and what measures should be taken to resume business processes.
Who is responsible for the business continuity plan?
The bigger and more complex the client and associated risks, the more people and functions are involved in business continuity planning with your MSP. Some companies also create Business Continuity Steering Committees that meet once or several times a year to ensure that the business continuity plan is continuously updated and in line with the company’s strategy, operations, and goals.
Executive managers, senior management members, risk committees, and the board of directors might also get involved in business continuity planning.
What does the business continuity plan include?
While business plans might differ, there are some key elements that every business continuity plan should include:
- A detailed audit of the various risks, threats, and problems most likely to impact business operations
- A documented list of all mission-critical business functions and processes that, if interrupted, will cause an all-out stoppage
- The list of personnel within the organization who have the authority to declare a disaster and the team who will execute the response effort
- An emergency communication plan that lets managers notify employees, vendors, and stakeholders of a crisis if critical systems are unavailable and business facilities are inaccessible
According to Susan Snedaker, the author of the book Business Continuity and Disaster Recovery Planning for IT, several key questions help professionals approach business continuity planning:
- What would happen to the organization if tools and terminals like desktops, laptops, servers, email, and Internet access became unavailable? How would the company function?
- What are the single points of failure?
- What are the risk management systems and controls that the company has in place?
- What are the company’s vital outsourced relationships and dependencies?
- If a disruption occurs, what workarounds exist for critical business processes and internal functions like HR?
- What is the minimum number of people the company needs to run its data centers and operations, and what are the vital functions that must be carried out?
- What critical skills, expertise, and know-how does the company need to recover?
- What critical security and operational controls are mandatory if computer systems shut down?
The above questions enable teams to gather and understand the information necessary for Business Impact Analysis and Risk Assessment. After having the facts, professionals may focus on developing and designing the plan. Once an acceptable version exists, it is imperative to test it and update it to remain aligned with the organization’s vision and strategy.
What is a disaster recovery plan (DRP)?
A disaster recovery plan is a well-documented approach that emphasizes how an organization may restore its normal business operations after a disaster. The disaster recovery plan focuses on reestablishing data and IT infrastructure and providing instructions and procedures in case critical employees are inaccessible and can’t perform their attributions, as expressed in the company’s organogram.
Who is responsible for the disaster recovery plan?
While your MSP is the backbone of DR planning, you should create a cross-functional team with each of your clients. This way, you ensure you have the expertise to cover the organization’s risk areas fully.
DR planning requires a disaster recovery coordinator, your MSP leading the execution, ensuring it complies with business needs. They will help assess and determine the strategy, budget, focus on compliance, and contribute to forming the disaster recovery team.
Your disaster recovery team understands the company’s unique IT ecosystem and knows how to maintain the integrity of its networks, servers, database, and storage.
What does the DRP include?
Every disaster recovery plan should include the following:
- A complete inventory of all critical hardware and applications without which the business cannot continue
- The amount of time the business has to restore critical systems without incurring significant downtime or outages. This is known as the recovery time objective or RTO
- A data loss tolerance, i.e., the amount of data that can be lost (measured in the amount of time since the last backup) before the business sustains severe damage. This is the recovery point objective or RPO. Ensure the organization remains compliant with data retention regulations such as HIPAA, General Data Protection Regulation, or other legal regulations
- Procedures for post-disaster clean-up, such as notifying employees and stakeholders about the recovery status, tending to any issues that might have contributed to the disaster, and amending the DR plan to shore up any shortcomings discovered during the recovery process
Another vital aspect to consider when reviewing your disaster recovery plan is the location of the disaster recovery site. While a DR site that is close to your operational points and primary data center appears to be a good idea, in terms of convenience and costs, you have to take into account that the proximity might make everything vulnerable to a disruptive event with regional ramifications, such as a flood, an earthquake, a fire, etc.
Once your plan is shared, it is crucial to test it and ensure your team is well-trained on the steps necessary for critical business processes. Your team members need to familiarize themselves with what needs to be done before experiencing an emergency with its share of pressure and variables. Routine testing makes professionals more comfortable with situations that severely impact their activities and helps identify potential flaws, uncovered aspects, and updates that need to be performed.
What are the benefits of having a BCDR solution?
The advantages of implementing a BCDR solution are numerous. In an emergency, an organization that is prepared to face the problems presented by an unanticipated occurrence will maintain its productivity and, as a result, its profitability.
BCDR solutions provide several benefits, including:
Employee productivity and revenue generation in case of a crisis
Business continuity and disaster recovery procedures help ensure that employees maintain a certain level of productivity and that you and your customers keep generating revenue if a crisis occurs. When businesses experience downtime for any reason — be it an everyday disruption, such as a power outage or server failure, or a more extreme disaster, such as an earthquake or flood — they cannot conduct business as usual. This causes them to lose money. A reliable BCDR solution helps organizations maintain key income sources open and operate at full capacity as soon as possible. The approach limits companies’ lost revenues to a minimum.
Stable company reputation
Downtime can cause much more than just a financial drain on the business — the longer-term reputational costs could be disastrous. Partners and customers alike could lose trust in a company if it cannot meet essential obligations due to downtime. With a robust BCDR solution, organizations continue business operations and ensure stakeholder relations strategies are in place, so they don’t experience discomfort. This approach helps your brand keep its reputation high and not lose trust capital.
With so many options, clients may switch MSPs for minor reasons. The more competitive pressure out there, the more downtown could jeopardize your relationship with key stakeholders.
Small businesses are particularly vulnerable to customer loss since the cost of acquiring new customers is significantly higher than retaining the existing ones.
This is where a BCDR solution comes in, as it reduces customer churn by ensuring your company may always serve its clients.
Compliance with industry regulations
If your company operates in a highly regulated, strict industry like health or finance. A business continuity and disaster recovery plan is mandatory because it ensures your organization complies with critical requirements.
National and international laws require businesses to closely safeguard and retain sensitive digital information for immediate access at all times. Backup and disaster recovery procedures ensure organizations do not worry about compliance violations and legal issues related to data loss and downtime. Your clients can focus on generating revenue and making customers happy.
Getting started on building a BCDR plan
To work effectively on your company’s BCDR plan, split it into components, integrating business continuity and disaster recovery.
The first element you need to consider is the BCDR policy, which covers a series of aspects, such as the scope of the strategy, how responsibilities are allocated, the tactics, the key performance indicators, and the key risk indicators.
Once you have this in place, it is time to gather the whole business continuity and disaster recovery team to perform the risk, infrastructure, and business impact analysis. This enables your team to identify what the plans need to focus on and set up guidelines regarding acceptable downtime. Taking all these into account, those in charge write the step-by-step procedures and test and approve them with the decision-makers.
The final document needs to be communicated to relevant third parties so that they know what to expect and what is expected of them in case of a significant crisis.
Many companies go that extra mile and create an emergency communications plan that focuses on the potential messages each stakeholder group will receive and the channels associated with them.
Regarding BCDR plans, testing is mandatory because it helps organizations ensure that their procedures will help them manage crises and preserve critical operations. Moreover, testing at regular intervals, usually quarterly, also contributes to continual improvement, certifying that the business continuity and disaster recovery plan is constantly updated to keep up with the company’s evolution.
Depending on the organization’s ability and information technology resources, you may perform testing simply by inviting BCDR team members to run disaster scenarios and assess whether the plans are adequate or in more complex formats.
A full-scale test simulation involves making the business continuity and recovery team complete, step-by-step, the procedures explained in the plans, resorting to backup systems and recovery sites. This might be costly, as it involves allocating human resources and external costs.
Managing costs of BCDR
Business continuity and disaster recovery generate costs associated with human resources, backup and DR technologies, and testing. To ensure they receive the necessary funds, MSPs should build strong proposals that expand on the approach’s benefits, the required resources, the providers’ credentials, and documented procurement requests.
A critical factor to consider when designing the budget for business continuity and disaster recovery strategies is that the investment has to have a return. This means that the costs associated with the proposal must be significantly smaller than the financial value associated with the damages a disaster would produce.
BCDR is a standardized discipline, so national and international institutions, such as the International Organization for Standardization (ISO), have published their guidelines.
If you are looking for a framework that helps you build your company’s BCDR plan, here are some examples:
- ISO/TS 22317:2021 Security and resilience — Business continuity management systems — Guidelines for business impact analysis
- FINRA Rule 4370. Business Continuity Plans and Emergency Contact Information
- National Fire Protection Association 1600: Standard on Continuity, Emergency, and Crisis Management (new consolidated draft pending)
- NIST Special Publication 800-34 Rev. 1: Contingency Planning Guide for Federal Information Systems
- American National Standards Institute/ASIS ORM.1.201 Security and Resilience in Organizations and Their Supply Chains
- ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements
- ISO 22313:2012 Societal security — Business continuity management systems — Guidance
- ISO 22320:2018 Security and resilience — Emergency Management — Guidelines for incident management
- ISO/IEC 27031:2011 Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity.
Considerations on which BCDR software to use
BCDR is a complex topic, so identifying the right software might take time and effort. Still, some aspects can make the process smoother and clearer:
Check for security standards and regulation compliance
Reliable providers of BCDR software know how important it is for companies to protect themselves against regulatory breaches that can cost tens of thousands of dollars in penalties. This is why they are happy to provide certification reports, compliance standards, encryption methodologies, and complete security questionnaires regularly or whenever clients ask.
Take HIPAA, for example. To ensure Axcient remains compliant over time, we regularly apply the following measures:
- Conduct a HIPAA risk analysis with HIPAA consultants and other third parties.
- Review policies and procedures, employee training, and operational standards.
- Update everything necessary to meet the HIPAA Security Rule.
- Provide MSPs with a letter attesting to our HIPAA-compliant solutions and practices, which you can use to build customer trust.
Ensure your partner provides third-party, independent testing
It is a strong recommendation that your BCDR partner of choice provides both external and internal penetration tests. External penetration testing opens doors to external attackers who could access internal systems. With internal penetration testing, you give the ethical hackers the key to the castle. Once in your system, internal penetration testing shows the effort required to overcome your security infrastructure, focusing on configuration issues, security clearances, and access to data, assets, and information.
This gives you complete visibility over your security measures’ efficiency and updates and upgrades your BCDR plans.
Ask for proof
The best way to ensure anything does what it’s supposed to do is to experiment with it yourself. Still, with BCDR, it’s crucial to do that before an actual crisis. This is why you should ask your partner to provide the following product demos and individual product training that allow you to run real-life scenarios in real-time.
Moreover, you should also ensure that the software benefits from intelligent dashboards that offer insight into the health of your backup power system and warning alerts that let you see potential issues before they escalate into many activity-threatening situations.
Business continuity and disaster recovery strategies are mandatory for all organizations that want to be prepared for disruptive events and ensure that their stakeholders benefit from consistent services, no matter the context. With BCDR planning, companies create a safety net that helps them limit downtime to the minimum and restore their activities in the most effective way possible.
Often, such an approach involves a BCDR software provider that enables them to identify and catalog their organization’s mission-critical processes and systems, create plans, automate testing, and much more.
At Axcient, we understand the struggles through which businesses go, so our business continuity and disaster recovery solutions help clients minimize the effects of disastrous events, such as cyberattacks, power outages, and natural calamities.
Sign up and start your 14-day trial.
Business continuity vs disaster recovery planning: What are the differences and similarities?
Business continuity planning and DRP are both proactive strategies that enable companies to face significant crises and prepare for a disruptive event that is either ecological or human-made. They must be aligned with the company’s vision and goals and need constant updates and testing.
Although they might seem to overlap, at first glance, they are not the same thing. Here are the key differentiators:
- An excellent way to think about business continuity planning and DR planning is by associating the business continuity plan with persistence and DRP with rebuilding. This is because the first focus is on maintaining core business functions and the second on complete data and IT infrastructure recovery so that the organization operates at full capacity. The business continuity plan ensures the company delivers critical products and services and doesn’t completely shut down operations. In contrast, DRP provides functions that are 100% restored in an acceptable timeframe.
- Given the point above, it is clear that the business continuity plan and DRP have different goals and KPIs, as effective continuity planning measures operational downtime, while disaster recovery analysis focuses on the meantime to recovery.
- Disaster recovery focuses on more than the actual organizational operations; it also includes strategies for keeping employees safe. As part of the DRP, companies organize fire drills and purchase emergency supplies.
- A typical business continuity plan prioritizes communication methods, such as phones, emails, and network servers, ensuring they still function if natural disasters or other man-made crises strike a company.
Some organizations might treat disaster recovery plans as a part of business continuity.
What’s the difference between business resilience and business continuity?
Business resilience is an organization’s ability to return to a previous operational state after a disastrous event. Business continuity is the approach that helps the company build resilience.
What’s the difference between organizational resilience and operational resilience?
Organizational resilience (OR) is a company’s ability to protect itself against catastrophes and safeguard everything involved in running the organization – personnel, apps, infrastructure and technologies, facilities, working spaces and warehouses, processes, and policies.
Part of OR, Operational resilience (OpR), focuses on the people, processes, and infrastructure that enable a business to respond and adapt to disruptive events and change.
About the Author: Carissa Johnson // Product Marketing Manager, Axcient
Carissa Kohn-Johnson has a background in healthcare technology and information technology, and is now the Product Marketing Manager for Axcient. She has a lot of MSP Channel experience from planning and attending hundreds of conferences and tradeshows, and found her passion in IT. Carissa is also an elected official in Cary NC, a town chock full of technology-forward people. Connect with her on LinkedIn – perhaps you can contribute to the Axcient blog?