Business continuity planning

Business continuity may be defined as “the capability of an organization to continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident”, and business continuity planning (or business continuity and resiliency planning) is the process of creating systems of prevention and recovery to deal with potential threats to a company.[4] In addition to prevention, the goal is to enable ongoing operations before and during execution of disaster recovery. Business continuity is the intended outcome of proper execution of both business continuity planning and disaster recovery.

Business continuity planning is the process involved in creating a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster.

Several business continuity standards have been published by various standards bodies to assist in check listing ongoing planning tasks.

An organization’s resistance to failure is “the ability to withstand changes in its environment and still function“. Often called resilience, it is a capability that enables organizations to either endure environmental changes without having to permanently adapt, or the organization is forced to adapt a new way of working that better suits the new environmental conditions.

Key features of an effective business continuity plan:

• Organization: Objects that are related to the structure, skills, communications and responsibilities of its employees.
• Strategy: Objects that are related to the strategies used by the business to complete day-to day activities while ensuring continuous operations.
• Applications and data: Objects that are related to the software necessary to enable business operations, as well as the method to provide high availability that is used to implement that software.
• Technology: Objects that are related to the systems, network and industry-specific technology necessary to enable continuous operations and backups for applications and data.
• Processes: Objects that are related to the critical business process necessary to run the business, as well as the IT processes used to ensure smooth operations.
• Facilities: Objects that are related to providing a disaster recovery site if the primary site is destroyed.

Planners must have information about:

• Equipment
• Supplies and suppliers
• Locations, including other offices and backup/work area recovery (WAR) sites
• Documents and documentation, including which have off-site backup copies:
• Business documents
• Procedure documentation

Tiers of preparedness

SHARE’s seven tiers of disaster recovery:

Tier 0: No off-site data; Businesses with a Tier 0 Disaster Recovery solution have no Disaster Recovery Plan. There is no saved information, no documentation, no backup hardware, and no contingency plan. Typical recovery time: The length of recovery time in this instance is unpredictable. In fact, it may not be possible to recover at all.

Tier 1: Data backup with no Hot Site; Businesses that use Tier 1 Disaster Recovery solutions back up their data at an off-site facility. Depending on how often backups are made, they are prepared to accept several days to weeks of data loss, but their backups are secure off-site. However, this Tier lacks the systems on which to restore data. Pickup Truck Access Method (PTAM).

Tier 2: Data backup with Hot Site; Tier 2 Disaster Recovery solutions make regular backups on tape. This is combined with an off-site facility and infrastructure (known as a hot site) in which to restore systems from those tapes in the event of a disaster. This tier solution will still result in the need to recreate several hours to days worth of data, but it is less unpredictable in recovery time. Examples include: PTAM with Hot Site available, IBM Tivoli Storage Manager.

Tier 3: Electronic vaulting; Tier 3 solutions utilize components of Tier 2. Additionally, some mission-critical data is electronically vaulted. This electronically vaulted data is typically more current than that which is shipped via PTAM. As a result there is less data recreation or loss after a disaster occurs.

Tier 4: Point-in-time copies • Tier 4 solutions are used by businesses that require both greater data currency and faster recovery than users of lower tiers. Rather than relying largely on shipping tape, as is common in the lower tiers, Tier 4 solutions begin to incorporate more disk-based solutions. Several hours of data loss is still possible, but it is easier to make such point-in-time (PIT) copies with greater frequency than data that can be replicated through tape-based solutions.

Tier 5: Transaction integrity; Tier 5 solutions are used by businesses with a requirement for consistency of data between production and recovery data centers. There is little to no data loss in such solutions; however, the presence of this functionality is entirely dependent on the application in use.

Tier 6: Zero or little data loss; Tier 6 Disaster Recovery solutions maintain the highest levels of data currency. They are used by businesses with little or no tolerance for data loss and who need to restore data to applications rapidly. These solutions have no dependence on the applications to provide data consistency.

Tier 7: Highly automated, business-integrated solution; Tier 7 solutions include all the major components being used for a Tier 6 solution with the additional integration of automation. This allows a Tier 7 solution to ensure consistency of data above that of which is granted by Tier 6 solutions. Additionally, recovery of the applications is automated, allowing for restoration of systems and applications much faster and more reliably than would be possible through manual Disaster Recovery procedures.

Developing a Business Continuity Plan

• Business Impact Analysis: Here, the business will identify functions and related resources that are time-sensitive.
• Recovery: In this portion, the business must identify and implement steps to recover critical business functions.
• Organization: A continuity team must be created. This team will devise a plan to manage the disruption.
• Training: The continuity team must be trained and tested. Members of the team should also complete exercises that go over the plan and strategies.