Today's businesses are becoming more dependent on IT services and technology advancement. However, the emerging innovations and changes also make businesses become vulnerable to incoming threats and risks. One way businesses can overcome these vulnerabilities and protect their system is to adapt Business Continuity and Disaster Recovery Planning to their business model.

Why?

It is crucial for businesses to assure their business continuity, the availability of their systems, and the high-quality preparedness of their quick recovery in emergency situations. Increasing demands for the availability of these resources generates requirements for the IT continuity, and these requirements result in creating plans for Business Continuity Management, which are also part of emergency recovery plans (Pinta, J., 2011).

Therefore, businesses need to adapt Business Continuity Disaster Recovery (BCDR) to their business model in order to become adaptive to changes and improve their resiliency against present disruption and challenges ahead.

Business Continuity Management

Business Continuity Management is the planning process and identification of potential impacts of internal and external threats and consequential losses, which could be due to disruption or loss of key business processes from the accident, attack, or disaster (Pinta, J., 2011). Business Continuity Planning focuses on how the company can restore business operations after a disaster strike (Enhasy, 2009).

The British Standard 25999 establishes the process, principles, and terminology of business continuity management (Tammineedi, 2010). Business Continuity Management as a significant form of management practice, advocates that organizations should identify key strategic vulnerabilities, priorities, and their associated underpinning systems, processes and data, and ensure that the organisations has plans in place to manage, preserve, and, in the event or a crisis, recovery so that the business can continue without disruption (or with minimal disruption) (Mcilwee, 2013).

Disaster Recovery Planning

There are 3 models of the IT Service Catalog starting from the broader component to a more detailed component in order to grasp the complete features of each service as follows.

The growth of distributed systems and the global business environment make corporate decision makers believe that having a backup or recovery plan is necessary (Hawkins, Steve. M.; David C. Yen.; David C. Chou. 2000). Disaster Recovery Plan describes the activities that need to begin to implement immediately after the detection of an incident for which a Disaster Recovery Plan is drawn up (e.g air conditioning failure in the data center) (Pinta, J., 2011). Disaster Recovery Plan provide validation that is by that of a third-party to that of the stakeholders stating that documents are complete and do not have any sign of misinterpretation (Soni, V. D., 2021).

Disaster Recovery Plan is considered as an important component in business recovery plan to minimize risks caused by natural disasters such as hurricanes, earthquakes, or tornadoes, but also incidents caused by cyber-attacks, gadget failures, or even terrorism act, by using combined technological capabilities and methodologies. Indicators of Recovery Time Objectives type (RTO) and Recovery Point Objectives (RPO) help us to define the real requirements to ensure operation of our systems and propose appropriate solutions to these requirements (Pinta, J., 2011).

Differences Between Business Continuity and Disaster Recovery

Before implementing the BCDR plan, it should be understood first how business continuity differs from disaster recovery. The business continuity plan identifies critical business processes and determines action plans for handling mission-critical function is systems go down, while Disaster recovery plans focus primarily on the technical issues involved in keeping systems up and running, such as which files to back up and the maintenance of backup computer systems or disaster recovery services (Laudon et. al., 2006).

Business Continuity is more proactive and typically refers to processes and procedures that should be implemented to ensure the continuation of mission-critical functions during and after a disaster. Disaster recovery, on the other hand, focuses on specific steps that should be taken to resume operations after an incident. Disaster recovery action take place after the incident, and response times ranges from seconds to days. Business Continuity focuses on the organizations, whereas Disaster Recovery focuses on IT infrastructure. Disaster recovery is a part of business continuity planning which fixates on making data access easier following a disaster. Business continuity also include this, but with considering risk management and any other necessary planning that needs to be executed during an event.

How BCDR Supports Business Resilience

BCDR is the act of proactively working out a way to prevent, if possible, and manage the consequences of a disaster, limiting it to the extent that a business can afford (Ramesh. 2002). BCDR planning supports this requirement by establishing thorough plans, procedures, and technical measures that can enable a system to be recovered quickly and effectively following a service disruption or disaster (Enhasy, 2009).

The 6 Steps of BCDR Plan

a. Identify the Team

The first step to establish a BCDR plan is to identify involved members that are responsible to execute strategies and planning when incidents or disaster happens. The team will carry out business continuity plan and ensure that all employees are informed and aware on how to respond in a crisis. The team will also be responsible to raise awareness and knowledge related to BCDR plan to all employees to ensure all departments understand the objectives and able to take corrective actions when incidents happens.

b. Conduct a Business Impact Analysis (BIA)

BIA is the process of assessing the criticality of business activities and associated resource requirements to ensure operational resilience and continuity of operations during and after a business disruption. According to Tammineedi (2010), the four key objectives of BIA are as follows:

• Determine the potential impact to the organization in the event of an outage

• Identify critical services/processes and their maximum tolerable period of disruption (MTPoD), recovery time objectives (RTOs), and recovery point objectives (RPOs)

• Determine the sequence of recovering business functions and data in the event of an outage

• Identify recovery strategies, minimum resources, and vital records that are necessary for business continuity

By using BIA, business is able to identify the consequences of sudden loss of business functions and the most critical business functions to create a business continuity plan that prioritize recovery of these functions.

c. Design the Recovery Plan

When designing the Recovery Plan, it is important to establish tolerable downtime for important systems, then develop backup and disaster recovery (BDR) strategies for both the SaaS application data and those critical systems. BDR solutions might be cloud-based, or appliance based. As part of your overall plan, take Disaster Recovery as a Service (DRaaS) options into considerations. The plan should also cover the change management procedures, guidelines on how and when to use the plan, sequential procedures, and schedules for review, testing, and updating.

d. Test Your Backup

A backup and recovery plan must include disaster recovery testing. You will never be able to tell if your backup can be recovered without the right tests. Only 31% of respondents consistently test their disaster recovery strategy, according to the 2019 State of the IT Operations Survey Report. This shows that businesses frequently undervalue BDR testing and making BCDR ineffective. There are two backup strategies that can be used, which are In-house backup system and Offsite Backup System with Data Encryption. In-house backup system using in-house hardware to remove the dependence toward outside vendors which could save a lot of expenses on leasing equipment (Hawkins, et. al., 2000). When implementing backup strategies, organizations can choose to use offsite backup system with data encryption that provides secure virtual data transmission because the communication to the backup site are on the leased line.

e. Execute the Plan

The next step is executing the BCDR plan to see whether the strategies and methods are effective to prevent incidents or overcome crisis in the organization. When implementing the BCDR plan, make sure that the teams and all departments are acknowledge the plan and capable to implement them when needed.

f. Evaluate the Plan

After several executions and action taken, the BCDR plan needs corrective actions and improvements based on several findings and gap analysis. The evaluation should be conducted regularly to avoid misinterpretation and improve BCDR strategy. Companies need to modify their disaster recovery plan on a regular basis, especially if the company is growing at an accelerated pace (Leary, 1998).

When organizations are equipped with the BCDR plan, the recovery implementation can be executed smoothly, respond faster to incidents and crisis, and save costs caused by the disaster. By building this behaviour, organizations can also advance its business resilience to adapt with various business environment.

Business Resilience

Business Resilience is the "capacity for companies to survive, adapt, and grow in the face of turbulence changes. Business resilience enables organizations to quickly adapt to disruptions while maintaining sustainable business operations and protecting people, assets, and overall brand equity. Resilient business is able to recover from disruptions and show adaptive capacity, which can cause extensive changes in the overall business concept.

According to ITIL 4, there are several requirements to achieve Resilience, which are behaviour that is aligned with a shared vision and purpose, an up-to-date understanding of an organization's context, ability to absorb, adapt, and effectively respond to change, good Governance and management, diversity of skills, leadership, knowledge, and experience, coordination across management disciplines and contributions from technical and scientific areas of expertise, and effective risk management.

The BSI added the following benefits of implementing BCDR to the organization (BSI, 2006):

• The organization is able to proactively identify risks to its operation and have in place a capability to mitigate and manage those risks

• The organization maintains an ability to manage uninsurable risks, such as risk to the reputation

• The organization has in place an effective response to major disruptions

• The organization are able to demonstrate that the program is credible through a process of exercising and auditing

• The organization may have a competitive advantage, conferred by the demonstrated ability to maintain customer service, profitability, and employment of its staff

• The organization is able to demonstrate that the program is iterative and is embedded as a good business practice

Conclusion

To be effective, both Disaster Recovery and Business Continuity must address every aspect of the operations and consider planning for an event, developing an environment where recovery and continuity are possible and testing plans to ensure these actually work (Cervone, H. F., 2017). The recovery group and business enterprise have to then put into effect the BCDR and observe via the plan strategies. As previously mentioned, with effective recovery plans and business continuity strategies, businesses are more well-prepared to incidents and improve its resilience so that businesses are becoming adaptable in disruptive conditions. The BCDR plan delivers effective strategy in protecting both IT infrastructure and organizational structure and therefore be able to demonstrate proactive disaster management with short recovery time.

Reference:
Aldianto, L. Grisna Anggadwita. Anggraeni Permatasari. Isti Raafaldini Mirzanti. Ian O. Williamson. (2021). Toward a Business Resilience Framework for Startups. Sustainability 2021. 13, 3132. https://doi.org/10.3390/su13063132.
Cervone, F.H. (2017). Disaster recovery planning and business continuity for informaticians. Digital Library Perspectives, Vol. 33 Issue: 2, pp.78-81, https://doi.org/10.1108/DLP-02-2017-0007
Enhasy, M. (2009). Evaluating Business continuity and Disaster recovery in information technology departments In Palestinian listed companies. The Islamic University-Gaza.
Meyer, C., & Schwager, A. (2007). Customer experience. Harvard Business Review, 85(2), 116–126