Business Continuity Planning (BCP)

& Disaster Recovery Planning (DRP)

Business Continuity Planning (BCP) &

Disaster Recovery Planning (DRP)

BCP and DR are programs done by different

organizations and business to ensure that
their operations will not be affected in case
of devastating events that may occur in
their area.
These two programs are now becoming
essentials
for
businesses
and
large
corporations.

What is BCP ?

BCP or Business Continuity Planning is a

program
in
which
businesses
and
organizations are planning ahead the
possible crisis and calamities that may
affect, greatly, their operation.
This crisis is not only limited to natural
calamities like flood or thunderstorms but
also applicable to the death or sudden
resignation of important employees that
have key roles in their operations.

What is DR ?

DR or Disaster Recovery focuses on the set of

actions that businesses will take after suffering
disaster may it be natural or man-made.
Its sole purpose is business preservation,
meaning, how the businesses would cope up
and be able to operate again after a disaster
occurred like loss of electricity, computer
viruses, and thieves.
This Disaster Recovery program is a just a part
of BCP.

Key Objective of both BCP or DR

How to preserve critical business

functions in the face of a disaster.

In Short : Continuity of Business

(COB)

Difference between BCP and DR

1. BCP is a proactive strategy
whereas DR is a reactive approach.
2. BCP helps prevent and anticipates
a disaster or unfavourable incident
in advance whereas DR is a strategy
that treats or recovers from
disasters and the like.

The BCP domain addresses:

Continuation of critical business

processes when a disaster destroys
data processing capabilities
Preparation,
testing
and
maintenance of specific actions to
recover normal processing (the
BCP)

Disasters natural, man-made

Fire, flood, hurricane, tornado,

earthquake, volcanoes
Plane crashes, vandalism, terrorism,
riots, sabotage, loss of personnel,
etc.
Anything that diminishes or
destroys normal data processing
capabilities

Disasters are defined in terms of the

business

If
it
harms
critical
business
processes, it may be a disaster
Time-based definition how long
can the business stand the pain?
Probability of occurrence

Broad BCP objectives - CIA

Confidentiality

Integrity

Availability

BCP objective

Create, document, test, and update

a plan that will:

Allow timely recovery of critical

business operations
Minimize loss
Meet legal and regulatory
requirements

Scope of BCP

Used to be just the data center

Now includes:

Distributed operations
Personnel, networks, power
All aspects of the IT environment be it
Database servers, hardware's,
telephones, servers, software's,
applications etc

Creating a BCP

Is an on-going process, not a

project with a beginning and an end

Creating, testing, maintaining, and

updating
Critical business functions may evolve

The BCP team must include both

business and IT personnel
Requires the support of senior
management

The five BCP phases

Project management & initiation

Business Impact Analysis (BIA)
Recovery strategies
Plan design & development
Testing, maintenance, awareness,
training

I - Project management & initiation

Establish need (risk analysis)

Get management support
Establish team (functional, technical, BCC
Business Continuity Coordinator)
Create work plan (scope, goals, methods,
timeline)
Initial report to management
Obtain management approval to proceed

II - Business Impact Analysis (BIA)

Goal: obtain formal agreement with

senior management on the MTD for
each time-critical business resource
MTD maximum tolerable
downtime, also known as MAO
(Maximum Allowable Outage)

II - Business Impact Analysis (BIA)

Quantifies loss due to business

outage (financial, extra cost of
recovery, embarrassment)
Does not estimate the probability of
kinds of incidents, only quantifies
the consequences

II - BIA phases

Choose information gathering

methods (surveys, interviews,
software tools)
Select interviewees
Customize questionnaire
Analyze information
Identify time-critical business
functions

II - BIA phases (continued)

Assign MTDs
Rank critical business functions by
MTDs
Report recovery options
Obtain management approval

III Recovery strategies

Recovery strategies are based on

MTDs
Predefined
Management-approved

III Recovery strategies

Different technical strategies

Different costs and benefits
How to choose?
Careful cost-benefit analysis
Driven by business requirements

III Recovery strategies

Strategies should address recovery

of:

Business operations
Facilities & supplies
Users (workers and end-users)
Network, data center (technical)
Data (off-site backups of data and
applications)

III Recovery strategies

Technical recovery strategies

scope

Data center
Networks
Telecommunications

III Recovery strategies

Technical recovery strategies

methods

Subscription services
Mutual aid agreements
Redundant data centers
Service bureaus

III Recovery strategies

Technical recovery strategies

subscription service sites

Hot fully equipped

Warm missing key components
Cold empty data center
Mirror full redundancy

III Recovery strategies

Technical recovery strategies

redundant processing centers

Expensive
Maybe not enough spare capacity for
critical operations

III Recovery strategies

Technical recovery strategies

service bureaus

Many clients share facilities

Almost as expensive as a hot site
Must negotiate agreements with other
clients

III Recovery strategies

Technical recovery strategies data

Backups of data and applications

Off-site vs. on-site storage of media
How fast can data be recovered?
How much data can you lose?
Security of off-site backup media
Types of backups (full, incremental,
differential, etc.)

IV BCP development /
implementation

Detailed plan for recovery

Business & service recovery plans

Maintenance
Awareness & training
Testing

IV BCP development /
implementation

Sample plan phases

Initial disaster response

Resume critical business ops
Resume non-critical business ops
Restoration (return to primary site)
Interacting with external groups
(customers, media, emergency
responders)

V BCP final phase

Testing
Maintenance
Awareness
Training

V BCP final phase

Until its tested, you dont have a

plan
Kinds of testing

Structured walk-through
Checklist
Simulation
Parallel
Full interruption

V BCP final phase

Fix problems found in testing

Implement change management
Audit and address audit findings
Annual review of plan
Build plan into organization

V BCP final phase

BCP team is probably the DR team

BCP training must be on-going

BCP training needs to be part of the

standard on-boarding and part of
the corporate culture

Few scenarios of BCP/DR

Technology Breakdown
Let's assume that a large banking company runs
its core business from a major city in India. One
fine afternoon its network is attacked by cyber
terrorists or there's a virus outbreak. In such a
situation, the data integrity is lost. The easiest
way to manoeuvre this disaster would be to
immediately isolate the cyber attack on the
branch and transfer the core job to a DR
datacenter hosted at some other location. This
would help users to immediately connect to
remote DR servers and get back to work.

Few scenarios of BCP/DR

Epidemic disaster
Take another scenario. One day the same city where
the bank was operating from, encounters an
epidemic. The Bird Flu virus hits the city, and being
an airborne virus, infects anybody walking out in the
open. So a city wide red alert is sounded, a curfew is
enforced, and nobody can come out in the open. In
such a scenario, all your pillars that constitute
Business Continuity remain intact except human
resources. So your data, equipment and workplace
are intact but no one can come to the office and
operate from there. So, the strategy to overcome
such a problem should be different. Here you must
have a DR site with not only data, but also with a
backup of employees who can take over the charge
of the center and finish the tasks from some other
city.

Few scenarios of BCP/DR

Earthquake disaster
Now let's take another example where an earth quake
destroys the entire building, with the data center and
all the equipment. Here, even though peoples' lives
might be saved, everything else would get destroyed.
In such a situation, a remote DR site is required where
you have all the necessary equipment, seating
arrangements, data and even a recreation zone, where
you can fly in your staff and let them get back to work
in as less a time as possible. Such a DR site should not
be in the same geographical location as the site in
question, so that the calamity does not affect both
sites at the same time. On the other hand, it should
not be too far away so that it takes a lot of time to fly
out people.

So what will happen if I dont have a

BCP/DR Plan ??

The cost of not having a robust continuity solution

in place could be catastrophic lost revenues,
bad press coverage, loss of customers and
competitive mindshare to name but a few.
A web site for e-Commerce may suffer losses
from $10K to $100K every hour, depending on
the volume of the site. Large telesales businesses
like airline reservations, catalog sales, and TVbased home shopping can easily miss sales
opportunities of $100K an hour.
In financial markets, losses total several million
dollars per hour of downtime.

In Summary

Plan, Plan, Plan

Gather as much critical information
on what you will need to recover
before an event ever happens
Establish procedures for recovery
Establish priorities for recovery
Keep people informed
Keep a record of what happened for
a lessons learned evaluation

Strategies of Database Availability

Two attributes of database availability

namely, the severity of database
downtime and the latency of database
recovery provide a context for
understanding general categories (like
high availability, continuous availability,
and disaster recovery), as well as specific
strategies for database availability (like
maintenance, clusters, replication, and
backup/restore).

How Sybase help in having a sound

DR in place for Databases

Sybase Solutions for Database

Availability

Sybase triple layer resilience solution