Business Continuity Plans vs Disaster Recovery Plans

Business Continuity Plans vs Disaster Recovery Plans

Guillaume Lhomel
Global Head of IT

In these turbulent times, companies realize how Business Continuity Plans (BCP) are crucial. One common mistake in the IT world is to mix Business Continuity Plan with Disaster Recovery Plan (DRP). Actually DRPs are often part of BCPs, and their focus, as per usual definition, is on restoring compute capabilities or core IT functions enabling business lines to perform their daily activities.

But what happens when compute capabilities are not affected by the disaster, but IT remains the key to enable a Business Continuity Plan? It is common to forget situations like the ones were are living today, a sanitary crisis, where business lines must from one day to the other change their way of working to maintain their commitments with customers, suppliers, internal company organization (payroll?)…

There, IT organisations need an established framework with the below:

  • Vital Portfolio: What are the tools enabling people working remotely? Do the companies have the right capacities to cover this (bandwidth, licenses, security checks…)? How solid are IT suppliers and partners to adapt their solutions?

With the emergence of Cloud actors the past years, companies can shift part of their applications and productivity tools out of their data centers/data rooms, maintaining a high-level of security for their end-users and company assets. The IT organisations must create this “Vital portfolio” of productivity tools and applications enabling end-users to perform critical work from various locations, without dedicated connectivity to the company network. Major actors like Microsoft, GAFA companies, Salesforce are powerful in this market and already offer those remote capabilities with extended applications’ offering. Smaller ones propose those capabilities but come to the attention point of their resilience in regards to major events, security exposure, load capacities.

  • Security set: This must be considered in your BCP to ensure the alternate model will not put at risk your company, data, assets, nor your colleagues themselves.

Cyber-attacks increased exponentially the past years and major events lead to a peak of those attacks to exploit weaknesses of companies and the unknown for people changing their way of working: instant messaging tools, phishing mails… You need this set of tools authorized and best practices documented for people not on your premises… The communication must empower people and make them accountable for their use of tools.

  • End-user readiness: How do you train your colleagues to such situations? How do you communicate best practices for them but also to protect your company?

The BCP framework should dedicate enough information to guide people, step-by-step, during this turbulent time. People are disoriented and must be guided to the basics. They are usually explained that nothing must change and commitments are still valid. Changing from the office environment to remote could be highly impacting: socially with families, professionally with the new virtual environment for collaboration with colleagues. The worker must adapt with a new agenda for breaks, lunches, virtual meetings, phone calls… The guidance is a joint-work between several core functions of the company (HR, Communication, department heads…) including IT. The “How-to” for IT will describe all basic steps for simple operations like starting the computer, launching business applications, joining virtual meetings, exchanging files with colleagues… Also, for the well-being of the colleague and the sustainability of the model, think about how you could provide the best collaboration experience. Video calls are now part of our daily work and should be promoted as much as possible, should your infrastructure support the network load. During the crisis, more advanced use-cases should be delivered on a regular basis when basics are well adopted and become natural for collaborators.

When documenting those tips, think about protecting the IT environment. Some tools or application may consume your network capacity or your service desk bandwidth due to the complexity of the application. The best will be for you to link the guidance to the vital portfolio defined prior. All recommendations must take into account IT impacts: assets’ capacity, licenses limitation, network bandwidth, support contracts.

  • Business forecasts and capacity management: How to you consider your capacity plans? how to recover and support business lines at the end of the crisis?

During the event itself, resources consumption will shift from A to B. Make sure your capacity management is consistent with your vital portfolio. Then, most of the time, a crisis terminates with a resurgence of activities and companies will quickly request full IT capacity or even more to catch-up. Up to C-levels to revise business and financial forecasts with delivery leads, and to you to secure IT capacity accordingly. Once you enter in the BCP with the alternate model, this is time to plan the capacity for the “after”. The after will surely not be a “back-to-before”. Lessons learned will happen in all departments and at the executive level. Your company will now differentiate from your competition with its capability to adapt the delivery model and retain the best agility met during the BCP execution

IT function is not only about technology but how it is integrated and part of the company strategy and investments to secure business perennial. 

Related Post
Similar Resources