As someone who has been in the game too long to admit how long, I can assure you the rules of proper business resilience planning has NOT changed.  The demands on the plan have clearly changed but not the need to have and maintain a plan. The traditional method of write-it-once, put-it-on-a-shelf and check it once a year is long gone.

Today, to meet the demands of the issues facing your business, the plan must be fluid and more importantly actionable.

For those who know me, I am a framework and patterns person.  I see business challenges as repeatable patterns. To address this, I am a firm believer in building frameworks to address these patterns in an effective manner that can be actioned.  See a Problem, Fix a Problem is my mantra.

Business resiliency is more than just a buzz word.  Look at the sheer number of organizations today under tremendous stress for they did not have an adequate plan to execute.  COVID-19 may be unique as a pandemic, but it is very similar in pattern to being denied access to your buildings from mould, vandalism, structural stress etc.  This is NOT to make light of how serious COVID-19 is. It is real, please wear a mask and adhere to public health guidelines.

For many years I have followed a methodology for business continuity.  Over the years I have tuned it and tweaked it to meet the needs of the organizations I was engaged to assist.  What I had found was if a framework was deployed and leveraged, responses to incidents become less stressed, more focused and with a much higher rate of success.   The post-mortems become, truly lessons learned and not “witch hunts”.

During any crisis, proper crisis management should be leveraged and that is a topic for another post.  We as business leaders forget at times that to resolve a problem, we need to engage our staff. Our staff are humans that must be cared for and protected as such during a crisis.  The mitigation of the issue becomes the focal point, then after it is resolved proper remediation needs to be engaged to improve the next response to an incident.

Now on to the framework.  Refer to the graphic above as a guide.

Business Continuity Plan

The Business Continuity Plan is responsible for business interests as a whole entity.

The Business Continuity Plan is the overarching plan to support business interest.  It covers elements of staff, buildings, communications, and stakeholders. The components of the BCP include.

  • approach
  • team compositions
  • classification of business services
  • physical addresses
  • contact trees
  • stakeholders
  • communication plan

Before you declare a disaster, you refer to the BCP to ensure the executive team is engaged and an appropriate level of approval has been obtained.  It can be as quick as a phone call or it may involve calling in financial and legal teams to confirm the severity of the declaration along with appropriate messaging.

The Business Continuity Plan also refers to business internal and external stakeholders.

Disaster Recovery Framework

The Disaster Recovery Framework is guided by the Business Continuity Plan and is the actual process to follow.

The Disaster Recovery Framework becomes the execution model for specific Disaster Recover Plans.  It is a structured approach to defining the scenarios in both terms of impacted areas, and execution plans but also the definition of completion.

By allowing for a structured approach to recovery, your organization is well-positioned to have a consistent, measurable, and successful recovery from the many different types of technical disaster recovery declarations.

The goal of the Disaster Recovery Framework is to confirm what type of scenario has occurred.  A scenario could be one or more of the following.

  • Cyberattack
  • Pandemic
  • Weather/Environmental
  • Fire
  • No access to business
  • Systems failure
  • etc.


As part of the Disaster Recovery Framework, scenarios become the structured approach to a specific Disaster Recovery Plan.

The format of each scenario is consistent to provide for improved success while executing the specific plans.

The major areas of each scenario are;

  • Description – A brief description of the event
  • Scope – The definition of what is in and potentially out of scope for the event.   This allows for containment for the recovery plans.
  • Impacted areas – This is a comprehensive list of all applications and/or components involved in the scenario.  Similar to scope but specific to applications and components.
  • Impacted clients – Who are the stakeholders, action item holders, consulted with groups, informed groups both at the business and technical areas.
  • Resources – Who are the resources both internal and external required to complete the plan.
  • Recovery Overview – This is the high-level description of the major checkpoints during a recovery plan.
  • Major recovery stages (Project Plan) – This is a breakdown of phases with associated tasks to be completed by the plan.  It may or may not refer to technical recovery plans.
  • Recovery success determination – What is the definition of success as it relates to the recovery.

Disaster Recovery Plans

The Disaster Recovery Plan is the actual plan to follow wrapped in a specific communications plan.

Typically, this is a formal document, but it can also be a digital tool that lays out the plan to be executed along with a communication plan to keep all stakeholders informed and engaged. I am a firm believer the plan should be digital and in the cloud. That way it is always current and accessible and more importantly, it can be audited.

The contents of a plan may look like the following.

  • Control
  • Introduction
  • Systems and applications
  • Execution Plan
    • Milestones
    • Work Instruction(s) to be followed
  • Contact List
  • Teams
  • Results and Findings

Work Instructions

Work Instructions are very detailed instructions on the actual recovery steps for a specific application and/or component. This is the knowledge base to recovery from a component element all the way up to larger application functions. They may be a small or a very large document that is to be followed.

The instructions should be very complete and NOT rely on internal undocumented knowledge. These Work Instructions are reusable across many Disaster Recovery Plans for they are specific to applications and components.  By leveraging a consistent method for these technical instructions, fewer errors are encountered, and a higher level of repeatable success is observed.

The work instructions are potentially used frequently by operations outside of a recovery process. These instructions need to be complete so the individual using the instructions has all they need to complete the task.

Recovery Flow

The recovery flow is as follows.

  • BCP deals with the business
  • DRF is the process to follow
  • DRPs is the actual execution plan to follow
  • Work Instructions are the actual instructions to be followed


Plan the work and then work the plan.  Your plan is the guide to follow. The plan will likely need to change during the execution but not the need to have one. The Disaster Recovery Framework provides a process to follow to ensure all the needs of the business and its stakeholders are accounted for during a recovery event.

Tim Lalonde

Tim Lalonde is the VP of Technical Operations at Mid-Range. He works with leading-edge companies to be more competitive and effective in their industries. He specializes in developing business roadmaps leveraging technology that create and support change from within — with a focus on business process re-engineering, architecture and design, business case development and problem-solving.

With over 30 years of experience in IT, Tim’s guiding principle remains simple: See a problem, fix a problem.

Other Articles

Job Opp: IT Solution and Services Architect — IBM Power & Storage

IT Solution and Services Architect – IBM Power and Storage. This position is a senior level role focusing on IT solution presales/sales architecture…

Executive Briefing: Kaseya Supply Chain Attack

Globally, a new ransomware attack hit thousands of organizations that use a remote management tool called Kaseya. The extent of the attack is just…

Encryption Options on IBM i

With the increased number of ransomware and malware attacks hitting computer systems both for business and end-users, many organizations are looking…

Solution Decision Information Flow for Better Business Decisions

When thinking about leveraging a Managed Service Provider (MSP) for your business, it is best to answer some simple questions first: Is human…

Are You Running Out of Backup Window?

If you are running out of backup window, here are 3 questions you need to ask yourself: Am I backing up things that I do not need? When was the last…

The Case for Virtual Tape Library (aka VTL)

Any customer looking to upgrade their tape drive or buy a net new one should really take pause and consider VTL

Backup Your Office 365 Data

Veeam® Backup for O365 eliminates the risk of losing access and control over your data including Exchange Online, SharePoint Online OneDrive for…

Veeam Backup for Microsoft Office 365 – Demo Video

Veeam® Backup for Microsoft Office 365 eliminates the risk of losing access and control over your Office 365 data including Exchange Online,…

The Importance Of Cyber Insurance

I’ve been in the cybersecurity industry for pretty much my entire adult life; it’s the only career I’ve ever had. And yet one of my favorite…

Why Cybersecurity Is So Complicated

When you think of problems people had with cell phones back in the 80s, whether you experienced them firsthand or you’ve seen clips from movies, you…