features the organization needs to consider
and address; even if the organization’s
plan is to initially document the needs and
goals, develop a road map to achieve the
goals, and construct mitigation plans to
ensure continued operations can be maintained until those recovery features can be
This is where the planning and effectiveness of an organization’s BC/DR program come into play; to identify from the
onset the comprehensive recovery and
continuity needs of an organization, to
bridge the gap of what is needed, what
is expected, what is wanted, and what is
delivered to ensure the needs of the organization’s BC/DR needs are met.
Isn’t one the same as the other?
Where does business continuity stop
and disaster recovery begin? Having a
strong DR program does not guarantee
a successful BC program and vice versa.
Each program covers its own critical
unique need, its own distinct set of deliverables and responsibilities, and is equally
necessary to the operational recovery of an
organization in a disaster or other impacting event.
Breaking down to the simplest com-
ponents, borrowing from the project life-
cycle methodology where requirements
can be defined as the “what” and design
is the “how,” business continuity could
be described as the “what” and disaster
recovery as the “how.”
Business continuity will help define
from the organizational level on down,
what needs to be recovered and what
needs to be available based on business
critical need in the event the organization,
its systems, and/or its people are not avail-
able due to a disaster or an event prevent-
ing business operations.
Disaster recovery will document and
deliver systems to be recovered at time of
disaster based on business critical need,
develop how and when the systems will
be recovered, and ensure through proper
design, equipment implementation, documentation, review, and testing that systems and services can be recovered and
made available as designed.
Business continuity and disaster recovery programs working together can ensure
operational needs are identified, strategies
are clearly defined, solutions are deliv-
ered, and roadmaps and mitigation plans
are established to bridge operational gaps,
in order to keep the business continuity and disaster recovery programs of the
organization effective and in alignment of
What happens when fast isn’t fast
Let us say, for example, the RTO for a
system or business process has been established. For example a two-hour RTO from
time of disaster is in place. Now a business stakeholder steps up and declares that
due to the critical nature of said system or
process, two hours is too long, availability needs to be immediate. At this point
coordination and communication are key.
Trying to resolve this need by operating in
a vacuum is a recipe for disappointment or
Depending on the architecture design,
the system or process may be able to be
designed for automatic or near auto-failover. If additional hardware, licensing, re-design, or other features need to be
acquired to achieve the goal, these requirements need to be identified and communicated up front for consideration.
If a human element needs to be involved
in its recovery or failover, achieving the
immediate or near immediate system
delivery may be problematic or not realistically achievable. Again, in this instance
work with the stakeholder and/or organization and impacted user group to define
what is the need, identify what is needed
to achieve the goal, and identify the gaps if
the goal cannot be achieved which allows
them to build a road map to achieve the
goal if not acted on today, and mitigation
plans to continue operations during the
Often times, these types of decisions
need to be made, with full transparency of
information by the organization’s leadership, especially if the decision is driven
by investment of capital expense versus
All dressed up and nowhere to go
At this point is where separation may
occur between need and delivery. In a
BC/DR program solution delivery there
are three core questions. The answers to
the questions may not be the same for all
n What does the organization need (based
on environment, business impact and risk
analysis, system reviews and prioritization,
and other considerations)?
n What does the organization want (what
is the selected solution, what does the
organization choose to address, or choose
not to address)?
n What can the solution provide deliver (are
there services or solutions that are outside
the delivery scope of the solution providers)?
Through the due diligence of an organization, the determination may be made
that what is needed for full BC/DR readiness is greater than what they want to or
choose to invest in at a given time. Needed
but non-critical legacy systems or a critical system whose cost may be greater than
what the organization wishes to spend at
this time may be services needed but not
wanted at this time.
On the solution provider’s end, the
organization may be desiring hardware,
services, or technologies that are not part
of what the provider currently offers.
When everything needed for BC/DR
program readiness for an organization is
not implemented, the organization should
not lose sight of the big picture, road maps
for the work still needed, and mitigation
plans to ensure continued business operations should be created to bridge the time
and operational gaps until those services
are in place.
Are we there yet?
The opinion has been voiced that a BC/
DR program may reach a level of steady
state-maintenance mode. Is this a realistic
point of arrival, a utopian ideal, or might it
be posturing by an organization in preparation to justify cutting back on BC/DR
The most direct answer may be ... as long
as the organization is growing, then the BC/
DR program is growing. As the organization, its technologies, people, and services
continue to grow and evolve, the organization’s BC/DR programs need to adapt to
provide the proper support and protection
or else run the risk of losing effectiveness
and true readiness in a disaster.
Jeff Garrison is founder of Disaster
Readiness Solutions, specializing in disaster
recovery preparedness from boutique recovery strategies to enterprise-wide solutions.