This chapter describes the tools that businesses can use to create a Business Continuity and Disaster Recovery Plan. Utilizing business modeling, business impact analysis, risk analysis, and mitigation strategies, businesses can analyze their operations to learn the business critical functions that must be recovered as quickly as possible during any type of disaster. These processes are illustrated using the case study of a hypothetical small manufacturing business located in California. Specific information technology solutions are also discussed and the necessity of integrating them into the overall plan. Businesses that are prepared to face any kind of disaster with an implemented and tested Business Continuity and Disaster Recovery Plan are much more likely to survive than businesses that do not have such a plan. It is hoped that the contents of this chapter will spur business owners that have not yet adopted such a plan to do so.
Disasters have affected businesses in all shapes and forms for hundreds of years. However, with the advent of high-speed communication, computers, digitized data, and vastly increased reliance on databases and electronic storage of information, businesses have a lot more to lose than hardware if a disaster strikes. Many business also operate in a “24/7” environment and are global in their scope of operations. A high percentage of small businesses are also Internet-based, or have a significant portion of income derived from the Internet, a marketing and selling resource system that 15 years ago was little more than a curiosity.
Consider the following facts: (a) 80 percent of businesses affected by a major “incident” close within 18 months, (b) 90 percent of businesses that lose data as a result of a disaster close within two years, and (c) 58 percent of UK businesses were disrupted by a manmade disaster over 3,000 miles away in another country (the World Trade Center terrorist attacks of September 11, 2001 in New York) (Taylor, 2006). It is clear that all businesses, from large multinational corporations down to the “mom and pop” business selling services on Internet, must develop a disaster recovery (DR) plan and prepare for business continuity (BC) following an incident that affects business operations.
It used to be that BC and DR plans were the domain of IT departments, and while some of the mission-critical items are certainly IT-related, the functions of IT must be integrated into the overall plan (Taylor 2006; Vijayan, 2005). D’Amico (2006) recommends a three-pronged approach to preparing BC and DR plans. First, the Resolve Phase, which involves assessing the risks, whom should be involved, what units of the business are most critical, and what steps can be taken to minimize risk. Second, the Respond Phase, which includes formation of the disaster response team, how information will be disseminated to employees, how customers and suppliers will be notified, and where personnel will operate and with what equipment. Third, the Rebuild Phase, which includes the decision of which personnel will be directly involved in damage assessment and rebuilding, adjustments to business operations while rebuilding is in progress, and the maintenance of operations so that business can proceed. This is the approach adopted for the chapter.
The chapter comprises four main sections: (a) background, which includes categories of disasters that can impact businesses, consequences, and an outline of business continuity and disaster recovery methodologies; (b) the three-phase approach to BC and DR, which includes (1) constituting a BC & DR team, (2) assessing the risks of likely disasters, (3) forming a priority list of business-critical functions, (4) mitigating the risks, (5) creating operations plans in the event of a disaster, (6) writing the BC & DR plan in simple manual form, (7) implementing and testing the plan, and (8) specific IT and engineering functions that must be integrated into the overall plan, which include backup and distribution of company data and records, provision of hardware and software backup, specific supplier and intercompany agreements, satellite and voice-over IP (VOIP) telephone switching, utility backup, temporary employee and business relocation, and restoration of critical systems on a priority basis; (c) future trends; and (d) conclusions.
The chapter will be most geared toward small and medium-sized businesses and entities.
Key Terms in this Chapter
Hot Site: A location remote to the normal geographic locations of a business, which stores business-critical data and has the systems in place to restore and bring online business-critical functions.
Risk Analysis: The process of analyzing possible threats to a business, and estimating their probability and impact.
Business Modeling: A process of mapping all the functions of a business from a relationship point of view.
Mitigation Strategies: Strategies developed to minimize the threats to a business and their impact during a disaster.
Cold Site: A location remote to the normal geographic locations of a business, which stores business-critical data.
Business Impact Analysis: The process of delineating the functions most critical to the survival of a business.
Disaster Footprint: The size of a disaster in terms of geographic area affected and the level of destruction.
Disaster Recovery: The process of bringing business-critical functions back online as soon as possible.
Business Continuity: The continuance of business operations regardless of disasters that befall it.