Business continuity and crisis management experts rarely talk about the gap between business continuity and IT disaster recovery planning.
But they should.
The distance between the IT disaster recovery program you have and what you need could be bigger than you think.
Like one of our clients whose IT disaster recovery plans for several critical systems needed to support a recovery time objective of 24 hours but were built for 7 days.
They’ve unknowingly been walking a tightrope over the Grand Canyon and hoping for the best. Because that 6-day gap could become a multi-million dollar problem in the face of a crisis.
My stomach is hovering somewhere above my head just thinking about it.
If you want to avoid canyon-sized gaps like this, and the potential consequences, your business continuity and IT disaster recovery functions need to work together closely.
But in most organizations, they aren’t working together at all.
Here, we explore the common reasons for this disconnect and what you can do about it. With our highly actionable tips, you’ll know how to make sure your disaster recovery program is planted firmly on solid ground.
Could Gaps in Your IT Disaster Recovery Program Be Putting Your Organization at Risk?
Cyber threats proliferate and technology innovates at breakneck speed. Software and hardware must be continuously implemented and updated to keep pace. Yet business continuity programs are rarely responsive in providing the data, in both form and frequency, that IT needs to accurately plan its disaster recovery strategies.
Consequently, IT is often pressed to come up with its own answers to critical system requirements, such as availability, acceptable downtime or recovery time objectives (RTO), and recovery point objectives (RPO).
We think about Recovery Time Objective (RTO) as the maximum amount of time that a business process or IT system can be disrupted before the impact becomes unacceptable to the broader business. We think about Recovery Point Objective (RPO) as the point in time to which systems and data must be recovered following a disruption (sometimes referred to as maximum data loss).
But as the saying goes, “you don’t know what you don’t know.”
Business continuity and IT teams often assume they understand their IT disaster recovery requirements when they’ve actually got it all wrong. As a result, they architect inadequate solutions to their IT disaster recovery needs.
Your answers to the following questions will help you identify if your own organization could be at risk.
- Can you succinctly explain how your business continuity and technology or IT disaster recovery functions work together to ensure that critical technology applications are recovered to established RPO and RTO objectives?
- Can your teams clearly articulate the difference between business continuity, crisis management, and IT disaster recovery/IT technology continuity and also identify who is responsible for each function in your organization?
- Is your IT or disaster recovery team well represented on your business continuity and crisis management steering committee?
If you can’t confidently answer “yes” to all of these questions, you might have a problem.
- You can’t explain how your business continuity and technology or IT disaster recovery functions work together towards RPO and RTO objectives
- Your teams don’t understand the difference between business continuity, crisis, management, and IT disaster recovery/IT technology continuity or know who is responsible
- Your IT or disaster recovery team is not represented on your business continuity and crisis management steering committee
Here’s how to get to solutions.
Want to learn more about Business Continuity?
Our Ultimate Guide to Business Continuity contains everything you need to know about business continuity.
You’ll learn what it is, why it’s important to your organization, how to develop a business continuity program, how to establish roles & responsibilities for your program, how to get buy-in from your executives, how to execute your Business Impact Analysis (BIA) and Business Continuity Plans, and how to integrate with your Crisis Management strategy.
We’ll also provide some perspectives on how to get help with your program and where to go to learn more about Business Continuity.
3 Ways to Close the Gap Between Business Continuity and IT Disaster Recovery
1. Make sure IT has a seat at the table
While IT should ideally own the disaster recovery process, their input is critical to both your organization’s overall technology strategy and in determining system availability and recovery requirements in the event of a disaster.
So the best and first way to close the gap between business continuity and IT disaster recovery is to ensure IT is represented in your business continuity and crisis management steering committee.
Working together with your steering committee, IT can help you more accurately and quickly assess:
- Where there are major gaps in your IT disaster recovery capabilities based on data from your business continuity program
- What needs to be done to close those gaps
- Which ones should be prioritized and which ones you may be willing to accept the risks based on your available resources and capabilities
At the outset, your conversations should also aim to get alignment on how you define business continuity, crisis management, and IT disaster recovery.
Over time, you should regularly revisit these discussions to address newly identified gaps between requested and actual recovery times.
2. Design your BIA process to capture the right data
Expecting your IT team to architect the right IT disaster recovery solutions without the right data is a lot like putting four wheels on a car but no gas tank and expecting it to drive.
Your business impact analysis (BIA) should be designed to capture the key data that your IT team needs to design an effective IT disaster recovery plan. That typically includes answering these two key questions:
- When does a specific business process need to be back up and running?
- What are their dependencies on third party(vendors), technologies, facilities, and people?
Designing your BIA to answer these important questions will help your IT team better understand recoverability and availability requirements. As a result, they’ll be empowered to design more effective underlying applications and infrastructure recovery tiers.
3. Stick to the standards (ISO 27031, more precisely)
At Bryghtpath, we use the International Standards Organization (ISO) standards as the blueprint for our business continuity, crisis management, and disaster recovery planning efforts. Here’s why:
- All ISO standards are harmonized around the same language and structure. This aids the coordination of business continuity, crisis response, information security, and IT disaster recovery efforts across the organization and facilitates the clear communication of each respective function at the leadership level.
- ISO’s approach is largely based on the Plan-Do-Check-Act (PDCA) model. The PDCA model is a highly effective and proven approach for program improvement that ensures your program matures well over time.
ISO Standard 27031 is specifically focused on the information and communication technology requirements for business continuity and disaster preparedness. The standard is built to ensure your IT DR program satisfies crucial data security requirements and meets the needs of your enterprise operations. It also provides for IT-led disaster recovery exercises, which should be a part of every IT DR program.
The ISO 27031 standard is an excellent framework to guarantee that your IT DR program is effective, aligns with industry standards, and grows to maturity over time.
Want to learn more about closing the gap between your IT Disaster Recovery and Business Continuity Programs?
Bryghtpath can help you step off the tightrope with confidence. Our team of experts helps the world’s leading brands, public sector agencies, and nonprofit organizations strategically navigate uncertainty and disruption.
Want to work with us or learn more about closing the gap between business continuity & IT disaster recovery?
- Our proprietary Resiliency Diagnosis process is the perfect way to advance your crisis management, business continuity, and crisis communications program. Our thorough standards-based review culminates in a full report, maturity model scoring, and a clear set of recommendations for improvement.
- Our Business Continuity (including Disaster Recovery) & Crisis Management services help you rapidly grow and mature your program to ensure your organization is prepared for the storms that lie ahead.
- Learn about our Free Resources, including articles, a resource library, white papers, reports, free introductory courses, webinars, and more.
- Set up an initial call with us to chat further about how we might be able to work together