Business Continuity and Disaster Recovery (BCDR) describe an organization's preparation for unforeseen risks to continued operations. The trend of combining business continuity and disaster recovery into a single term has resulted from a growing recognition that business and technology executives share responsibilities for assessing risks, establishing control procedures and systems, etc., rather than developing plans in isolation.
As the BCDR discipline matures, practitioners must dispel some of the folklore of the past to move forward, become more resistant to business disruptions, recover more quickly and with more integrity, and control costs. Four of these BCDR myths were discussed by banking practitioners on the May 4, 2010 Wikibon Peer Incite call on zero data loss strategies:
- Longer distances between primary and backup business and technology operations ensures better business continuity. Not so. Distance creates risk and must be dictated by recoverability requirements, regulations, management decision, and the location of business assets prior to and during recovery efforts, including people, information, partners, customers, and of course, information systems.
- More replication, more backup, equals more data protection. Wrong. Replication creates risks and security exposures. Replication requirements must be expertly synchronized with failover and recovery requirements. All replication/backup created that cannot be tied to a recovery requirement (failure situation, RPO, RTO, business recovery objective), should be canceled/deleted.
- Business continuity is a technology issue. Really? BCDR is a business discipline enabled by technology. Technology creates business risk and the need for the BCDR discipline (e.g., system, data center, network failures), while at the same time enabling the discipline with capability and functionality to recover in the event of a loss (e.g., backup and recovery systems).
- IT and business users have the same interests in BCDR. Sorry. Simply said, IT is more focused on backup, but the business pays for recovery/resiliency. CTOs employ data backup and recovery professionals, business executives hire risk managers to ensure critical business functions are available in the case of a disruption in IT operations. These interests of course are linked, but different.
Action Item: BCDR is a discipline, not a project. Know what you're paying for. Clearly communicate business recovery objectives (BROs) to IT, understanding IT's technical and operational capabilities, participate in the BCDR tests and demonstrations. From the IT side, make sure the business understands the risks technology presents to their business, and architect systems that can demonstrate RTO/RPO compliance on an ongoing basis.