Business Continuity and Disaster Recovery Planning Models

¶ … Disaster Planning

Business Continuity & Disaster Recovery Planning models

Business continuity and disaster planning

The goal of business continuity planning is to ensure that during an unexpected event, the business is able to run as smoothly as possible. These unexpected events may run the gamut from "the failure of a supplier of goods or services or delayed deliveries" due to extreme weather to a security breach of the computer systems to a national attack or major disaster (BIA, 2012, FEMA) "A business impact analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies" (BIA, 2012, FEMA). To conduct a BIA, the organization should first determine the potential timing of a disaster, or to "identify [the] point in time when interruption would have greater impact" followed by the "duration of the interruption or point in time when the operational and/or financial impact(s) will occur" (BIA worksheet, 2012, FEMA).

Then, the organization must determine the operational impact of the event which may include lost or delayed sales and income; increased costs to deal with the problem; fines and legal fees; contractual penalties; general customer dissatisfaction and loss of customers (including new customers); and any delays involved in enacting planned initiatives (BIA worksheet, 2012, FEMA). Then, the costs of the likely disasters should be "compared with the costs for possible recovery strategies" (BIA, 2012, FEMA).

The Business Continuity Maturity Model® (BCMM®) is a specific, trademarked tool "created to help organizations to improve the resiliency of organizations and to develop and maintain a sustainable continuity program" and identifies eight domains that are critical to disaster recovery (COOP: How resistant are you, 2012, Virtual Corporation). These domains are then 'rated' on a scale from very low to high. The domains include leadership; employee awareness; the scale and appropriateness of the BC program; pervasiveness of the BC programing; use of metrics to monitor BC performance; commitment of resources to a BC program, and external coordination (COOP: How resistant are you, 2012, Virtual Corporation).

The BIA and the BCMM assume that some types of disruptions in business strategy are inevitable, and the best way to protect one's self against losses is to anticipate them and to reduce the damage through recovery planning, which reduces the length time the business' regular operations will be disrupted. Another form of business disaster planning is called attack tree analysis. In contrast to BIA: "attack trees are constructed from the point-of-view of the adversary. Creating good attack trees requires that we think like an attacker. We do not focus on how to defend a system when we initially create the model. Instead, we think of what an attacker wants to achieve and ways to accomplish it. Later, we use the understanding we have gained of the system's vulnerabilities to improve its defenses" (Ingoldsby 2012: 4). Rather than 'risk mitigation' the primary impetus behind attack tree models is to prevent security breaches from occurring at all, to maximize the organization's defense against possible penetrations. Attack trees are graphically-represented models and create possible chains of events of potential attacks. Then, there is an attempt to 'break' the chain of possible attacks (Ingoldsby 2012: 7). Implicit behind the notion of 'attack trees' is that the best way to deal with attacks is not to be subject to successful attacks at all.