BC/DR planning coherence: Stepwise toward business resilience Posted on August 24, 2017 by Tim Burke As I mentioned in my last post, 68% of those in organizations committed to a multi-site resilience strategy – e.g., using Disaster Recovery as a Service (DRaaS), shifting IT infrastructure to a managed service provider environment, or deploying hybrid solutions – have confidence that their IT environments will perform as expected during unplanned downtime. For many, though, the process of evaluating the cloud, managed services, and/or co-location offerings necessary to this strategy ranges from “could use improvement” to downright incoherent. Shaping an effective multi-site resilience strategy starts with planning basics. Business continuity planning comes first A multi-site resilience strategy derives from a business resilience strategy – otherwise known as business continuity. Without a carefully considered business continuity strategy, no amount of jiggering your data-, systems-, and network-oriented recovery stances will stave off the damages triggered by unplanned downtime. A business continuity plan articulates all the ways the business needs to prevent, respond to, and recover from disruptions that challenge its ability to function. This entails conducting a business impact analysis (BIA) to identify your enterprise’s most important business functions and the systems and assets supporting them. You’ll also need to conduct a risk assessment to identify internal and external threats and vulnerabilities. Next: your disaster recovery plan Once you’ve nailed your business continuity plan, you’ll be able to drill down into disaster recovery (DR) plan specifics concerning how you intend to recover your IT systems and services after a disruption. The goal of your DR plan is to establish easy-to-use, repeatable processes for responding to incidents – processes that recover damaged IT assets or relocate them to a third-party hot site or other alternate space (cloud, co-lo), thus returning the business to normal operations ASAP. To accomplish this, your DR plan should include detailed definitions of the actions and systems necessary to ensure your DR processes perform as intended – as well as regular, repeated testing of the resulting DR plan constructs. Along the way, you’ll determine recovery time objectives (RTOs), recovery point objectives (RPOs), and other DR-focused concerns. Be sure to also pay attention to… Security planning and policy, which should be integrated into DR planning. Change management, so you have established procedures for making changes to your environment and/or discovering what changes caused problems. Training your employees. What’s in your service-level agreements (SLAs). Compliance requirements, since those who embrace them recover more quickly from major disruptions. Remember: resilience planning is never a one-off Every alteration to your apps, services, systems, networks, or business processes makes your resilience plan outdated. Expect to continuously modify your resilience plan and test it to ensure it behaves as you require. And don’t try to do resilience planning and testing alone. Engage a trusted technology partner with deep experience in business and IT resilience to help you keep your business ready for anything.