Thursday, October 29, 2020

Disaster Recovery and Business Continuity

We are a mortgage lender in the northwest. Our largest investor asked us for a Disaster Recovery Plan and a Business Continuity Plan.

We sent them the former because we consider it the same as the latter. While the investor accepted that we have a Disaster Recovery Plan, it rejected it as being also a Business Continuity Plan. We always thought these plans were basically the same thing.

Now we are scrambling to get them a Business Continuity Plan.

So, what is the difference between a Disaster Recovery Plan and a Business Continuity Plan?

It may seem like a Disaster Recovery Plan is just another way of saying Business Continuity Plan. But they are fundamentally different, and each serves different purposes. Both plans should interface with each other in complementary ways.

You cannot expect a Disaster Recovery Plan to act as a proxy for a Business Continuity Plan. Nor can you use a Business Continuity Plan to act as a proxy for a Disaster Recovery Plan. If you try that tactic with regulators, they will cite you with adverse findings. If you are state licensed, banking departments may share those findings with other states where you’re licensed. Federal prudential regulators will also likely issue adverse results.

And what are we describing here?

We are describing how to ensure the company remains viable when faced with significant threats to its existence. So, I will give you some pointers that will help you to know the difference between these two essential documents. But be advised: just as a bird does not fly on one wing, a company cannot depend on only one of these plans. It must have both!

Our firm has identified six factors to disaster recovery and business continuity. 

These are:

1. Disaster Planning

2. Business Impact Analysis

3. Business Continuity management

4. Business Continuity Plan

5. Recovery Time Objectives

6. Deployment

Without getting too detailed about each of these factors, I am going to focus on your specific question, which is: what is the difference between a Disaster Recovery Plan and a Business Continuity Plan?

Let’s begin with this concept: every Business Continuity Plan (BCP) contains a Disaster Recovery Plan (DRP). This is because the DRP is focused on data recovery and integrity, whereas the BCP is focused not only on data recovery and integrity but also on the many elements involved in the continuation of a business enterprise. Think of it this way: the BCP is business-centric, whereas the DRP is data-centric.

The BCP resolves certain tactical questions involving business operations confronted with the disruption of the business entity, such as:

- Does the company have a business continuity plan in place for continuation?

- Who are the management and staff personnel in charge of business operations?

- How does the company respond to vendors and third-party relationships?

- What challenges are anticipated and readied to fulfill obligations?

- How does the company maintain customer loyalty and public confidence?

- What aspects of the company need to be first recovered to stay in business?

- How prepared is the company to operate remotely?

- What are the financial costs of downtime to the company?

Some of the foregoing depend on the ability of the company to recover its data quickly, effectively, and broadly. If the DRP is flawed, all of that is imperiled; to wit, loss of reliability, diminished scope, inability to scale up, and persistence of downtime after the disruption has passed. Typical disasters and disruptions are wars, terrorist attacks, storms, hurricanes, tornados, pandemics, epidemics, fires, earthquakes, electric outages, and floods.

From the point of the various risks – for instance, risks to reputation, legal, regulatory, operational, financial, compliance, security, fraud, and competition – failure to implement the requirements of a DRP and BCP could mean the company will not survive the disaster.

The DRP resolves specific tactical questions involving data recovery and data integrity if there is a disruption of the business entity, such as:

- Does the company have a disaster recovery solution in place for its data?

- Can the company rely on and trust the data that is recovered?

- How long will it take to recover the data from backup solutions?

- What is the projected downtime caused by the impedance to data?

- Is there an offsite copy or data center for managing data?

- What are the recovery goals and staged recovery plans?

- Are applicable network resources available to users?

- Are critical systems identified and prioritized?

It doesn’t matter if the DRP and the BCP are in separate documents or situated as sections in a single document. Many companies choose to combine them for ease of use and training of employees. Lenders Compliance Group has three primary elements in a single document: disaster recovery; business continuity; and pandemic response. More information HERE.

Whatever the case, it is essential to keep these plans updated, as multifarious new requirements and challenges present themselves in an ongoing, dynamic business environment.

Ideally, a BCP due diligence should begin with a Business Impact Analysis (BIA). Although it has a kind of ominous title, this process is no more than a set of procedures that identify how a disaster could impact a company. If that is not known, how can the company develop strategies to survive a disruptive event?

Then, it is important to use the BIA to design survival strategies. This is done by filling the gaps in the existing capabilities by mitigating them through using the BIA recommendations. Next, develop a plan, which reduces to writing the ways and means to ensure business continuity. That plan should be made available to all affected employees. Finally, the company should test the plan periodically, simulate a disruption, and learn from each test how to improve.

Ideally, a DRP review undertakes an evaluation of a company’s ability to tolerate minor to major data failures. It considers such adverse events as hacking, malware, data corruption, data breaches, and many potential IT infrastructure failures. As a subset of the BCP, the DRP is meant to keep the business running, reducing the effects of the disruption, and allowing the company to gradually emerge from a disaster intact and capable of continuation.

Whereas the BCP aims at an overall approach to surviving a disaster, the DRP must proceed along certain steps to effectuating its design. The process begins with outlining needs and objectives; that is, the DRP must reflect the company’s business model, meet risk analysis guidelines, determine the files and infrastructure features to maintain, and set forth some of the threats it seeks to mitigate. Without that information, it is not really possible to restore information adequately or regain productivity.

Then, the DRP needs to take stock of its components, such as hardware; software; and data. Finally, the plan should be developed with specificity, clarity, practicality, and ease of use. Affected employees should be trained appropriately, and, importantly, ongoing monitoring and testing must be implemented.

There is a natural ebb and flow to updating the DRP and BCP. Keep them updated as changes occur in the business model, regulatory and legal environment, and technology. Management should be focused like a laser beam on Disaster Recovery and Business Continuity.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group