Cloud computing. Onus of BC/DR shifts to your cloud providers—which can be a benefit and a risk. Be sure your contracts clearly spell out your requirements. Also, testing across multiple cloud providers is complex.
Mobile computing. Makes crisis communications and the process of locating employees potentially easier.
Social networks. Enables better communication not only with employees but with the world at large.
Read more details and caveats in 4 critical trends in business continuity.
Who should lead our BC/DR program? Where should it report?
There isn't a one-size-fits-all answer. The critical thing is for the BCDR program leader to have a broad perspective and enough clout to get the right elements in place.
It bears repeating: Information systems are certainly central to today's business operations. However, an IT-only BCDR plan is hardly a plan at all. The same holds true for a facilities-only plan. Understanding the full array of assets, people, systems, and processes that make your business run is the key to success.
More and more organizations are creating Enterprise Risk Management departments or programs, and that is a natural fit for business continuity efforts.
Can we outsource our contingency measures?
Disaster recovery services—offsite data storage, mobile phone units, remote workstations and the like-are often outsourced, simply because it makes more sense than purchasing extra equipment or space that may never be used. In the days after the Sept. 11 attacks, disaster recovery vendors restored systems and provided temporary office space, complete with telephones and Internet access for dozens of displaced companies.
What advice would you give to security executives who need to convince their CEO or board of the need for disaster recovery plans and capabilities? What arguments are most effective with an executive audience?
Hager advised chief security officers to address the need for disaster recovery through analysis and documentation of the potential financial losses. Work with your legal and financial departments to document the total losses per day that your company would face if you were not capable of quick recovery. By thoroughly reviewing your business continuance and disaster recovery plans, you can identify the gaps that may lead to a successful recovery. Remember: Disaster recovery and business continuance are nothing more than risk avoidance. Senior managers understand more clearly when you can demonstrate how much risk they are taking."
Hager also says that smaller companies have more (and cheaper) options for disaster recovery than bigger ones. For example, the data can be taken home at night. That's certainly a low-cost way to do offsite backup.
Some of this sounds like overkill for my company. Isn't it a bit much?
The elaborate machinations that USAA went through in developing and testing its contingency plans might strike the average CSO (or CEO, anyway) as being over the top. And for some businesses, that's absolutely true. After all, HazMat training and an evacuation plan for 20,000 employees is not a necessity for every company.
Like many security issues, continuity planning comes down to basic risk management: How much risk can your company tolerate, and how much is it willing to spend to mitigate various risks?
In planning for the unexpected, companies have to weigh the risk versus the cost of creating such a contingency plan. That's a trade-off that Pete Hugdahl, USAA's assistant vice president of security, frequently confronts. "It gets really difficult when the cost factor comes into play," he said. "Are we going to spend $100,000 to fence in the property? How do we know if it's worth it?"
And—make no mistake—there is no absolute answer. Whether you spend the money or accept the risk is an executive decision, and it should be an informed decision. Half-hearted disaster recovery planning (in light of the BP oil spill of 2010, the 2005 hurricane season, 9/11, the Northeast blackout of 2003, and so on) is a failure to perform due diligence.
This document was compiled from articles published in CSO magazine and CSOonline.com. Contributing writers include Joan Goodchild, Bill Brenner, Scott Berinato, Kate Walsh, Kathleen Carr, Daintry Duffy, Michael Goldberg, and Sarah Scalet.
What else can I do?
Cloud services company Evolve IP has created a list of suggestions for executives to evaluate their current disaster avoidance plans or, should a plan not exist, provide directional measures to protect their information and communications systems.
Elect one spokesperson from the group for communication. In the event of a multi-location organization each location should have a core team or representative that works with the corporate entity.
Identify risks in the following areas:
Information – What information and information systems are most vital to continue to run the business at an acceptable level?
Communication Infrastructure – What communications (email, toll free lines, call centers, VPNs, Terminal Services) are most vital to continue to run the business at an acceptable level?
Access and Authorization – Who needs to access the above systems and in what secure manner (VPN, SSL, DR Site) in the event of a disaster?
Physical Work Environment – What is necessary to conduct business in an emergency should the affected location not be available?
Internal and External Communication – Who do we need to contact in the event of an emergency and with what information?
Create a written recovery plan that is hosted remotely in a secure and redundant data center. Schedule and test your plan at least once per year or in accordance with regulatory/compliance requirements. Ensure employees can access the hosted environment (both from within the business confines and remotely) during fail-over mode from the designated locations.
Further Reading
More in-depth coverage of disaster recovery and business continuity planning:
How to perform a disaster recovery business impact analysis
Includes a sample BIA worksheet
BCDR event planning, detection and response
Tom Olzak lays out a checklist of key considerations
Advice for businesses from security and continuity advisory services.
Business continuity plans only work if they take employee needs into account.
Interview: The Optimistic Pessimist
Mike Hager escaped from the World Trade Center and got OppenheimerFunds up and running again in less than five hours. Now he faces another challenge: keeping America interested in business continuity planning.
This story, "Business continuity and disaster recovery planning: The basics" was originally published by CSO.