As someone who has been in the game too long to admit how long, I can assure you the rules of proper business resilience planning has NOT changed.  The demands on the plan have clearly changed but not the need to have and maintain a plan. The traditional method of write-it-once, put-it-on-a-shelf and check it once a year is long gone.

Today, to meet the demands of the issues facing your business, the plan must be fluid and more importantly actionable.

For those who know me, I am a framework and patterns person.  I see business challenges as repeatable patterns. To address this, I am a firm believer in building frameworks to address these patterns in an effective manner that can be actioned.  See a Problem, Fix a Problem is my mantra.

Business resiliency is more than just a buzz word.  Look at the sheer number of organizations today under tremendous stress for they did not have an adequate plan to execute.  COVID-19 may be unique as a pandemic, but it is very similar in pattern to being denied access to your buildings from mould, vandalism, structural stress etc.  This is NOT to make light of how serious COVID-19 is. It is real, please wear a mask and adhere to public health guidelines.

For many years I have followed a methodology for business continuity.  Over the years I have tuned it and tweaked it to meet the needs of the organizations I was engaged to assist.  What I had found was if a framework was deployed and leveraged, responses to incidents become less stressed, more focused and with a much higher rate of success.   The post-mortems become, truly lessons learned and not “witch hunts”.

During any crisis, proper crisis management should be leveraged and that is a topic for another post.  We as business leaders forget at times that to resolve a problem, we need to engage our staff. Our staff are humans that must be cared for and protected as such during a crisis.  The mitigation of the issue becomes the focal point, then after it is resolved proper remediation needs to be engaged to improve the next response to an incident.


Now on to the framework.  Refer to the graphic above as a guide.

Business Continuity Plan

The Business Continuity Plan is responsible for business interests as a whole entity.

The Business Continuity Plan is the overarching plan to support business interest.  It covers elements of staff, buildings, communications, and stakeholders. The components of the BCP include.

  • approach
  • team compositions
  • classification of business services
  • physical addresses
  • contact trees
  • stakeholders
  • communication plan

Before you declare a disaster, you refer to the BCP to ensure the executive team is engaged and an appropriate level of approval has been obtained.  It can be as quick as a phone call or it may involve calling in financial and legal teams to confirm the severity of the declaration along with appropriate messaging.

The Business Continuity Plan also refers to business internal and external stakeholders.

Disaster Recovery Framework

The Disaster Recovery Framework is guided by the Business Continuity Plan and is the actual process to follow.

The Disaster Recovery Framework becomes the execution model for specific Disaster Recover Plans.  It is a structured approach to defining the scenarios in both terms of impacted areas, and execution plans but also the definition of completion.

By allowing for a structured approach to recovery, your organization is well-positioned to have a consistent, measurable, and successful recovery from the many different types of technical disaster recovery declarations.

The goal of the Disaster Recovery Framework is to confirm what type of scenario has occurred.  A scenario could be one or more of the following.

  • Cyberattack
  • Pandemic
  • Weather/Environmental
  • Fire
  • No access to business
  • Systems failure
  • etc.

Scenarios

As part of the Disaster Recovery Framework, scenarios become the structured approach to a specific Disaster Recovery Plan.

The format of each scenario is consistent to provide for improved success while executing the specific plans.

The major areas of each scenario are;

  • Description – A brief description of the event
  • Scope – The definition of what is in and potentially out of scope for the event.   This allows for containment for the recovery plans.
  • Impacted areas – This is a comprehensive list of all applications and/or components involved in the scenario.  Similar to scope but specific to applications and components.
  • Impacted clients – Who are the stakeholders, action item holders, consulted with groups, informed groups both at the business and technical areas.
  • Resources – Who are the resources both internal and external required to complete the plan.
  • Recovery Overview – This is the high-level description of the major checkpoints during a recovery plan.
  • Major recovery stages (Project Plan) – This is a breakdown of phases with associated tasks to be completed by the plan.  It may or may not refer to technical recovery plans.
  • Recovery success determination – What is the definition of success as it relates to the recovery.

Disaster Recovery Plans

The Disaster Recovery Plan is the actual plan to follow wrapped in a specific communications plan.

Typically, this is a formal document, but it can also be a digital tool that lays out the plan to be executed along with a communication plan to keep all stakeholders informed and engaged. I am a firm believer the plan should be digital and in the cloud. That way it is always current and accessible and more importantly, it can be audited.

The contents of a plan may look like the following.

  • Control
  • Introduction
  • Systems and applications
  • Execution Plan
    • Milestones
    • Work Instruction(s) to be followed
  • Contact List
  • Teams
  • Results and Findings

Work Instructions

Work Instructions are very detailed instructions on the actual recovery steps for a specific application and/or component. This is the knowledge base to recovery from a component element all the way up to larger application functions. They may be a small or a very large document that is to be followed.

The instructions should be very complete and NOT rely on internal undocumented knowledge. These Work Instructions are reusable across many Disaster Recovery Plans for they are specific to applications and components.  By leveraging a consistent method for these technical instructions, fewer errors are encountered, and a higher level of repeatable success is observed.

The work instructions are potentially used frequently by operations outside of a recovery process. These instructions need to be complete so the individual using the instructions has all they need to complete the task.

Recovery Flow

The recovery flow is as follows.

  • BCP deals with the business
  • DRF is the process to follow
  • DRPs is the actual execution plan to follow
  • Work Instructions are the actual instructions to be followed

Conclusion

Plan the work and then work the plan.  Your plan is the guide to follow. The plan will likely need to change during the execution but not the need to have one. The Disaster Recovery Framework provides a process to follow to ensure all the needs of the business and its stakeholders are accounted for during a recovery event.

Tim Lalonde

Tim Lalonde is the is the Director Of Business Development at Mid-Range. He works with leading-edge companies to be more competitive and effective in their industries. He specializes in developing business roadmaps leveraging technology that create and support change from within – with a focus on business process re-engineering, architecture and design, business case development and problem-solving.

With over 30 years of experience in IT, Tim’s guiding principle remains simple: See a problem, fix a problem.

Other Articles

Director of Sales Handshake outside with buildings

Job Opp: Sales Manager

A leadership role that is responsible for daily hands-on sales management. This includes strategizing, managing, monitoring and reporting on…

Veeam Backup for Microsoft Office 365 – Demo Video

Veeam® Backup for Microsoft Office 365 eliminates the risk of losing access and control over your Office 365 data including Exchange Online,…

The Importance Of Cyber Insurance

I’ve been in the cybersecurity industry for pretty much my entire adult life; it’s the only career I’ve ever had. And yet one of my favorite…

Why Cybersecurity Is So Complicated

When you think of problems people had with cell phones back in the 80s, whether you experienced them firsthand or you’ve seen clips from movies, you…

Top Takeaways from ESG’s White Paper on Multicloud Storage Environments - Person using a tablet

Top Takeaways from ESG’s White Paper on Multicloud Storage Environments

Research shows that when an organization has taken the necessary steps to reach Storage Maturity, they have a competitive advantage due to their…

Home Cyber Hygiene Checklist

Our homes are becoming smarter and, as cool as that is, what’s even cooler are people who are as smart as their smart homes.

A New Opportunity for Cyber Attacks

There's a cybersecurity threat so troublesome that not even some of the best cybersecurity technology can stop it. It's called psychology, and it's…

An important message to our customers & suppliers

At Mid-Range, the health of our employees, customers, partners and suppliers is our top priority. As we face the COVID-19 crisis, we would like to…

7 Cybersecurity Tips

For today’s enterprise, the question is not whether you will be attacked. It’s when, by what, and how badly your company’s reputation or finances…