What is a business continuity plan?
A business continuity plan (BCP) is a document that outlines how a business will continue operating during an unplanned disruption in service. It’s more comprehensive than a disaster recovery plan and contains contingencies for business processes, assets, human resources and business partners – every aspect of the business that might be affected.
Plans typically contain a checklist that includes supplies and equipment, data backups and backup site locations. Plans can also identify plan administrators and include contact information for emergency responders, key personnel and backup site providers. Plans may provide detailed strategies on how business operations can be maintained for both short-term and long-term outages.
A key component of a business continuity plan (BCP) is a disaster recovery plan that contains strategies for handling IT disruptions to networks, servers, personal computers and mobile devices. The plan should cover how to reestablish office productivity and enterprise software so that key business needs can be met. Manual workarounds should be outlined in the plan, so operations can continue until computer systems can be restored.
There are three primary aspects to a business continuity plan for key applications and processes:
- High availability: Provide for the capability and processes so that a business has access to applications regardless of local failures. These failures might be in the business processes, in the physical facilities or in the IT hardware or software.
- Continuous operations: Safeguard the ability to keep things running during a disruption, as well as during planned outages such as scheduled backups or planned maintenance.
- Disaster recovery: Establish a way to recover a data center at a different site if a disaster destroys the primary site or otherwise renders it inoperable.
Evolution of business continuity plans
Business continuity planning emerged from disaster recovery planning in the early 1970s. Financial organizations, such as banks and insurance companies, invested in alternative sites. Backup tapes were stored at protected sites away from computers. Recovery efforts were almost always triggered by a fire, flood, storm or other physical devastation. The 1980s saw the growth of commercial recovery sites offering computer services on a shared basis, but the emphasis was still only on IT recovery.
The 1990s brought a sharp increase in corporate globalization and the pervasiveness of data access. Businesses thought beyond disaster recovery and more holistically about the entire business continuity process. Companies realized that without a thorough business continuity plan they might lose customers and their competitive advantage. At the same time, business continuity planning was becoming more complex because it had to consider application architectures such as distributed applications, distributed processing, distributed data and hybrid computing environments.
Organizations today are increasingly aware of their vulnerability to cyber attacks that can cripple a business or permanently destroy its IT systems. Also, digital transformation and hyper-convergence creates unintended gateways to risks, vulnerabilities, attacks and failures. Business continuity plans are having to include a cyber resilience strategy that can help a business withstand disruptive cyber incidents. The plans typically include ways to defend against those risks, protect critical applications and data and recover from breach or failure in a controlled, measurable way.
There’s also the issue of exponentially increasing data volumes. Applications such as decision support, data warehousing, data mining and customer resource management can require petabyte-size investments in online storage.
Data recovery no longer lends itself to a one-dimensional approach. The complex IT infrastructure of most installations has exceeded the ability of most shops to respond in the way they did just a few years ago. Research studies have shown that without proper planning, businesses that somehow recovered from an immediate disaster event frequently didn’t survive in the medium term.
Why is a business continuity plan important?
It’s important to have a business continuity plan in place to identify and address resiliency synchronization between business processes, applications and IT infrastructure. According to IDC, on average, an infrastructure failure can cost USD $100,000 an hour and a critical application failure can cost USD $500,000 to USD $1 million per hour.
To withstand and thrive during these many threats, businesses have realized that they need to do more than create a reliable infrastructure that supports growth and protects data. Companies are now developing holistic business continuity plans that can keep your business up and running, protect data, safeguard the brand, retain customers – and ultimately help reduce total operating costs over the long term. Having a business continuity plan in place can minimize downtime and achieve sustainable improvements in business continuity, IT disaster recovery, corporate crisis management capabilities and regulatory compliance.
Yet developing a comprehensive business continuity plan has become more difficult because systems are increasingly integrated and distributed across hybrid IT environments – creating potential vulnerabilities. Linking more critical systems together to manage higher expectations complicates business continuity planning – along with disaster recovery, resiliency, regulatory compliance and security. When one link in the chain breaks or comes under attack, the impact can ripple throughout the business. An organization can face revenue loss and eroded customer trust if it fails to maintain business resiliency while rapidly adapting and responding to risks and opportunities.
Using consulting, software and cloud-based solutions for a business continuity plan
Many companies struggle to evolve their resiliency strategies quickly enough to address today’s hybrid IT environments and changing business demands. In an always-on, 24x7 world, global companies can gain a competitive advantage – or lose market share – depending on how reliably IT resources serve core business needs.
Some organizations use external business continuity management consulting services to help identify and address resiliency synchronization between business processes, applications and IT infrastructure. Consultants can provide flexible business continuity and disaster recovery consulting to address a company’s needs – including assessments, planning and design, implementation, testing and full business continuity management.
There are proactive services, such as IBM IT Infrastructure Recovery Services to help businesses identify risks and ensure they are prepared to detect, react and recover from a disruption.
With the growth of cyber attacks, companies are moving from a traditional/manual recovery approach to an automated and software-defined resiliency approach. The IBM Cyber Resilience Services approach uses advanced technologies and best practices to help assess risks, prioritize and protect business-critical applications and data. These services can also help business rapidly recover IT during and after a cyber attack.
Other companies turn to cloud-based backup services, such as IBM Disaster Recovery as a Service (DRaaS) to provide continuous replication of critical applications, infrastructure, data and systems for rapid recovery after an IT outage. There are also virtual server options, such as IBM Cloud Virtualized Server Recovery to protect critical servers in real-time. This enables rapid recovery of your applications at an IBM Resiliency Center to keep businesses operational during periods of maintenance or unexpected downtime.
For a growing number of organizations, the answer is with resiliency orchestration, a cloud-based approach that uses disaster recovery automation and a suite of business continuity management tools designed specifically for hybrid-IT environments. For instance, IBM Resiliency Orchestration helps protect business process dependencies across applications, data and infrastructure components. It increases the availability of business applications so that companies can access necessary high-level or in-depth intelligence regarding Recovery Point Objective (RPO), Recovery Time Objective (RTO) and the overall health of IT continuity from a centralized dashboard.
Key features of an effective business continuity plan (BCP)
The components of business continuity are:
- Strategy: Objects that are related to the strategies used by the business to complete day-to day activities while ensuring continuous operations
- Organization: Objects that are related to the structure, skills, communications and responsibilities of its employees
- Applications and data: Objects that are related to the software necessary to enable business operations, as well as the method to provide high availability that is used to implement that software
- Processes: Objects that are related to the critical business process necessary to run the business, as well as the IT processes used to ensure smooth operations
- Technology: Objects that are related to the systems, network and industry-specific technology necessary to enable continuous operations and backups for applications and data
- Facilities: Objects that are related to providing a disaster recovery site if the primary site is destroyed
The business continuity plan becomes a source reference at the time of a business continuity event or crisis and the blueprint for strategy and tactics to deal with the event or crisis.
The following figure illustrates a business continuity planning process used by IBM Global Technology Services. It’s a closed loop that supports continuing iteration and improvement as the objective. There are three major sections to the planning process:
- Business prioritization: Identify various risks, threats and vulnerabilities, and establish priorities.
- Integration into IT: Take the input from business prioritization and perform an overall business continuity program design.
- Manage: Administer what has been assessed and designed.