Without a BCP Your DRP = NOTHING!!!

8 Feb

Throughout the last number of weeks as the topic of business continuity management, disaster recovery, the stages through which the continuity and recovery plans are made, the business continuity’s connection to risk management and even lessons learned from real life natural disasters such as Hurricane Katrina. Why they all have valid points and interesting ideas the purpose for this entry is to establish that without a BCP, (business continuity plan) then an organisations’ DRP (disaster recovery plan) will be useless and not worthwhile.

The issue here is that a lot of companies and IT organisations are under the illusion that once a DRP is in place then everything is covered and they assume that it is the same as the BCP. But this is where the huge error occurs because the BCP is a lot more fundamental than they believe. A business needs to plan and make changes for such an event. A DRP will only cover the processes in bringing up the system but what it fails to cover is a vital cog, and that is the human element in the equation. This is where the crucial BCP will come into play but it is often ignored.

Take for example a company’s system which is totally redundant and automated and is fully prepared in the event of failover where to occur. And then when it does, whether it be an earthquake, hurricane, a storm, massive blackouts etc. and the business system is up and running on some cloud based service due to the DR product that was chosen and the company’s DRP worked perfectly. Or so you thought?

But there’s one big problem and that is that there is no staff there to work on the system due to the disaster that is after occurring and with access to the office restricted, no electricity or internet connection and the phone networks are down. The business is up and running but essentially with nobody to run it. This is where the BCP will come into play as part of the DRP.

In reality a lot of enterprises out there when designing a DRP use tools advertised, and they do exactly what they say on the tin. From the IT side of the DRP, the cloud has made it significantly easier with services such as EC2 and Azure but by making the IT side easier to manage doesn’t address the entire issue. It is highly likely that the management of an organisation has not realistically thought of an event extreme enough where all staff are going to be unavailable due to a disaster as there are more important issues to deal in the wake of such an event. In other words business continuity is a company-wide problem and management needs to be made aware of such issues or else when the system ‘fails’ because no staff was available to work it the system will be to blame.

There are several questions which need to be addressed in case of such an event occurring and this is where the BCP will come into play in the overall DRP. Questions such as;

  • Who will run the system if the building or even worse the city is off limits?
  • Who will respond to queries on the website and run payroll?
  • Do the employees have somewhere to work?
  • Where can the PC’s go to keep up and running?

Some solutions to these problems can be to consider having an office at a separate location maybe with a mirrored data-centre and when the primary staff are unable to work then additional staff can continue the work from the separate location so business is not a standstill due to the disaster. Although the costs may be initially high, if an organisation needs to keep running and generating revenue, like most businesses, this should not be a big issue. A lot of organisations are ignorant to the business continuity as they believe that the ‘disaster’ or ‘major event’ will never affect their company or organisation, and as a result they fail to plan for it, or may only plan to the bare minimum while also ignoring the human factor.

IT is now a critical business function in nearly all businesses now and it would be extremely foolish to even consider recovery without thorough planning.

As the saying goes “Fail to prepare, prepare to FAIL”.

Sources:

  1. http://www.ibmbusinesscontinuityindex.com/
  2. http://thenextweb.com/insider/2012/10/25/dr-needs-bc/
  3. http://en.wikipedia.org/wiki/Business_continuity_planning

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: