There’s nothing more important to a thriving business than having the proper technology in place to support not only their day-to-day activities but also their business goals. However, one strong storm, unfortunate fire, malfunctioning piece of equipment, or workstation that kicks the bucket can wreak havoc on an operation that isn’t prepared with a proper Business Continuity and Disaster Recovery plan.
Although they’re often discussed at the same time, Business Continuity and Disaster Recovery are two different entities that work together to support and maintain a healthy IT infrastructure. Each is significant independently, but when they’re implemented together they form the groundwork for a business that will be able to weather any storm and withstand any mishap that could otherwise put them out of business.
Disaster Recovery is so important, in fact, that 20% of large enterprises spend an average of 10 days per month working on and perfecting their plans and systems to ensure they don’t fall victim to an irreparable situation. Unfortunately, this is a step that many smaller businesses overlook, either due to time or budget constraints, or simply not realizing the overall importance of the plan. According to FEMA, following a disaster, 90% of small businesses fail within a year if they don’t have a proper plan in place that allows them to reopen within 5 days.
While it’s important to have the technical aspects of your Disaster Recovery and Business Continuity planning lined up, the factors that will drive them are the Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Determining these two factors, which we will discuss later in this post, will help form the framework for building your Disaster Recovery and Business Continuity plans.
Let’s start with the basics...
For some reason, most people put Business Continuity before Disaster Recovery when discussing the two, but in reality, Disaster Recovery should be addressed first. That’s because Disaster Recovery typically focuses on quickly getting essential, business-critical components of the IT infrastructure up and running following an unfortunate event so that downtime is limited. Without an efficient Disaster Recovery plan, your Business Continuity plan could be severely lacking in depth and may not have the data and resources needed to efficiently execute it.
Disaster Recovery is important for three reasons:
You have to be able to get the business critical components of your system up and running as quickly as possible because it can literally make or break your company, given that your revenue depends on connectivity. Therefore, it’s important to know the difference between your business critical components and your entire IT infrastructure.
This brings us to the next question...
A business critical component is a part of your organization’s infrastructure that’s crucial to its ability to function. What may be “business critical” to one organization may be completely different for another - it truly depends on the nature of the business being performed and what information is absolutely necessary to keep things running smoothly. For some organizations this could mean that the drives where client and accounting information are held is absolutely paramount, while the human resources and marketing information could be forfeited for a few days with no serious detriment to the company.
Additionally, when reviewing what makes up the business critical components of your organization , you don’t necessarily need to include every employees’ workstation and device in your Disaster Recovery plan. In some cases, your employees may already be set up to work remotely (and your planning should include the proper steps to keep this functionality and access in tact) or their day-to-day functions may not be business critical in and of themselves. (We don’t mean to imply that every employee isn’t important, but depending on the nature of your organization some positions - such as the Jr. HR Assistant or the Accounting intern - are most likely not crucial to keeping business afloat.)
Of course, one of the biggest components of an effective Disaster Recovery plan is making sure all your electronic data is backed up and recoverable. If your data isn’t being properly backed up and replicated to either another server in a colocation or - more ideally, to the cloud - it will be completely inaccessible.
Is your organization still working from paper files? If so, the very first part of a strong Disaster Recovery plan is digitizing those records. Why? Just think of the consequences that can come in many different forms, such as a fire or flood that can hit your building and destroy all of those documents.
Business Continuity is essentially the technology, processes, and procedures that your organization has in place that will allow your entire operation to continue - or be brought back to life - in the event of an outage. An “outage” could include anything from a power outage or server crash to damaged infrastructure, a snow day that keeps everyone off the roads and working from home or a fire that destroys the office and everything in it.
While Disaster Recovery is concerned with business critical components that will keep things afloat for the time being (however long that time may be), Business Continuity is what needs to happen to get things back to their original state - or as close to it - so that full operations can resume as quickly and as close to fully functional as possible, and continue to be operational, until the original disaster has been mitigated.
Here are a couple of instances in which Business Continuity comes into play:
In either case, work needs to be done. If you’re simply trying to ensure operations continue during an inconvenient event, then it’s unlikely that you need to put your entire plan into motion but, rather, you’ll rely on the technology you have in place, such as VPNs and cloud services, to allow employees to complete work anytime, anywhere.
Therefore, after a disaster - or any type of outage - it’s important to be able to get your business critical systems up and running as soon as possible, but that isn’t going to be enough to sustain your business. That’s where Business Continuity comes in.
Once you’ve enacted the Disaster Recovery portion of your plan and can do some work, it’s time to get everything else back to normal as quickly as possible. Your Business Continuity plan should outline the following procedures:
But how, exactly, does your organization determine how much data needs to be backed up in order for operations to resume smoothly should they need to use the backups? How do you know how quickly systems need to be brought back in order to avoid substantial revenue loss? That’s where Recovery Point Objective and Recovery Time Objective come into play.
It’s probably safe to assume that every organization wants operations up and running nearly immediately and that they’d like every single piece of data recovered when they restore their systems, but that’s probably not feasible. In order to determine what resources are essential, which ones you can live without, and how long you can function without any of them, your organization has to determine its RPO and RTO.
The RPO is just what it sounds like - the point of recovery that your organization needs to get back to. Determining your RPO is essentially knowing how much data needs to be stored in your backups, should it ever need to be restored in case of an outage. Different businesses may have different needs. Certain businesses, such as law firms or medical offices, may have a legally mandated amount of time for which they need to store files. Therefore, they may be required to back up data going back several years, with each change of each document backed up as its own file. Other organizations, however, may know that they only need the last six months worth of the most recently updated data in order to ensure they can continue to move forward smoothly.
The RTO is determined by how long an organization can feasibly be “down” before they begin to recognize significant revenue loss that may impact their ability to ever resume operations. To figure out your RTO, you may need to work backward. For example, if you know that your business has bills and payroll totaling $X per month and that you usually have a monthly revenue of $Y, which amounts to a daily average of $Z, then you’ll be able to figure out how many days you can afford to be “down” before you will be in a position where you’re unable to meet your monthly obligations.
You can’t have one without the other. When your organization has properly set up its Disaster Recovery plan (data backup and the development of systems and processes for replicating and/or retrieving data) then the Business Continuity aspect of pulling that information back up and getting your team back to work will fall into place.
Similarly, a strong Business Continuity plan where your employees are able to work anytime, anywhere (even when the disruption is entirely temporary and more of an inconvenience than an emergency, such as a blizzard) will keep operations running as smoothly as possible all the time.