IMPORTANCE OF

BUSINESS CONTINUITY
AND
DISASTER RECOVERY

PRESENTED BY:

CARLO RODRIGUEZ

REPORT AUTHORITY: DR. TERRY LINKLETTER

COMPLETED NOVEMBER 29,2018
 IMPORTANCE OF BUSINESS CONTINUITY AND DISASTER RECOVERY

Executive Summary
Executive are becoming more involved in the planning of business continuity and disaster
recovery. Why is this? This is because statistics show that 93% that reported a lost of data for
ten or more days also filed for bankruptcy within a year, and another 60% lost their business
within six months (Velnte 2018). With this information, executives should bare the
responsibility of ensuring a business continuity and disaster plan is implemented ASAP.

Introduction
Most companies fail to take in to consideration what a Business Continuity(BC) and Disaster
Recovery (DR) plans are. BC/DC should be thoroughly planned by any business that wants to
survive a devastating event. A devastating event is one that has the potential to take a
company from being fully operational to not functioning at all. These events can be virus attack,
theft from inside company, or a natural disaster. The main focus of this research is to identify
what a BC and DR plan is and its importance.

The scope of this study is on business continuity and disaster recovery from businesses, not
consumers. However, the same methods should apply but on a lower scale. I researched this
topic by looking at articles online and collaborating with my peers on what a a good BC/DR plan
would be and why it’s important.

Definition of Terms (According to ISO 22301)

Business Continuity Plan: According to ISO 22301, business continuity plan is defined as
“documented procedures that guide organizations to respond, recover, resume, and restore to a
pre-defined level of operation following disruption

Disaster Recovery Plan: A disaster recovery plan (DRP) is a documented, structured approach
which includes how to respond to unplanned incidents

What is the Difference Business Continuity and Disaster Recovery

Both business continuity plans and Disaster Recovery plan should be designed and implemented
at the same time. Disaster recovery focuses on getting all the important components of your
infrastructure up and running after a major crisis. This should be the key elements that you need
to do business, not necessarily every part of your infrastructure.

Business continuity focuses on getting your company back to the stage it was at when it was
doing business. This is, in simple terms, getting back to production.
Why It’s Important
Once you become aware of how vulnerable IT systems can be, you will feel compelled to to
ensure your systems are backed up and you have a plan. It doesn’t matter if you keep your data
in a co-location or not, you need to make sure the data is safe.
 IMPORTANCE OF BUSINESS CONTINUITY AND DISASTER RECOVERY

Figure 1 shows data center down-time’s cause and effect. Notice that UPS system failure is the
fastest causes of datacenter outages. However cyber crime is the catching up and on pace to be
the most disruptive (Bradford 2017).

Figure :1 Cause and Affect

93% that reported a lost of data for ten or more days also filed for bankruptcy within a year, and
another 60% lost their business within six months (Velente 2018). With these grave statistics, it
is imperative to come of with a plan to keep your business alive. It's even more grave for small
business that lose their operations. 40-60% of them likely lose their business forever.

Although the failure stats are high for those without a plan; those with a plan see far better
numbers.
96% of those with a plan are able to survive ransomware attacks (Chris 2018). Some would
think that it simply won't happen to them, but your odds are terribly against you. 50% of
companies reported that they experienced downtime in the past 5 years that lasted more than a
day. Knowing that the 96% of companies that have a BC/DR plan can survive, makes you think
more companies would implement this into their DNA.

Responsibility
 IMPORTANCE OF BUSINESS CONTINUITY AND DISASTER RECOVERY

This process can be very daunting but lucky for any executive, there are plenty of vendors that
offer this as a service and your IT department knows how to do this. The main problem is the IT
department or vendor does not know your goals as far as what’s important to you. Importance
falls on the stateholders; the IT department must take this information and come with a solution.
Keep in mind, the more you want, the more expensive your solution will be.

First Steps: Establishing Recovery Point Objective and Recovery Time Objective

Recovery Point Objectives:

Every executive should be a part of the conversation as to what is the maximum amount of time
their systems can be down before it hits THEIR plan’s threshold. This is called Recovery Point
Objective. This is about what data is recovered, NOT about when the data is recovered.

Example, let's say that your company does backups every day . Let’s Assume that your
company was hit by a virus that wiped out all of your systems and your systems were up and
running in 5 minutes. Great! But what if your data that you recovered from was from 5 days
ago? Not so Great! A Recovery Point Objective is an objective set by the stakeholders saying
“how many hours of data are we ok with losing?” In your plan, you need to establish what this
point is. If you say your RPO is 8 hours, then you need to be doing backups in 8 hour
increments so your at any given you can recover to a point in time 8 hours ago.

Recovery Time Objective:

The next step is to discover how long you can go without having access to the data. Recovery
Time Objective asked will determine how fast your system/plan bounces back from and outage
or incident. For example, lets say your systems went down from a virus attack at 12p, how fast
do you want to restore your systems so you can be back to work.

This is important to think about because the two objectives go hand in hand. And different
scenarios warrant a different realistic objective.
 IMPORTANCE OF BUSINESS CONTINUITY AND DISASTER RECOVERY

For example, lets say your system went down at 12p from a virus attack, and you want to be up
and running at 12:01. Assuming that you have to recover from a backup because you have no
antidote to the virus, you have to ask, “where are we getting this clean data from at 12:01?”
If your RPO say it will do backups every 8 hours, you may restore instantly, but the backup will
be 8 hours ago,and you all lose 8 hours of work. If you, the stakeholder, is ok with that, then
fine. But some stakes holder think that the RPO should be inline with the RTO somewhat. So if
you have a RTO of 5 minutes, then shouldn't your clean data be at least 3 hours ago? Or
sooner. Why have an objective to restore extremely fast if you have to make up for 8 hours of
lost work?
Figure 2

Regardless of the decision, this is up to the stakeholders to relay to the vendor/IT department.
There are tools offered to calculate this cost but this is best done by those experts in the
profession. Datto, offers a great tool to get an understanding of what some cost might be to
implement a solution you want. You can use the online tool here http://tools.datto.com/rto/ .

Summary
In summary, a business continuity plan and disaster recovery plan if an important aspect of any
company that wants to survive a disastrous incident. You must remember that the responsibility
must fall on the stakeholders so they can identify their recovery time objectives and recovery
point objectives. Once this is doen, you can proceed in determining a solution that fits your
needs. The higher frequencies of backups and the faster recovery time will increase the cost of
your solution.
 IMPORTANCE OF BUSINESS CONTINUITY AND DISASTER RECOVERY

Work Cited:

Allen, Chris. “21 Disaster Recovery Statistics That Will Shock Business Owners.” PhoenixNAP
Global IT Systems, PhoenixNAP Global IT Systems, 21 Nov. 2018,
phoenixnap.com/blog/disaster-recovery-statistics.

Contel Braford. “Business Continuity Statistics For IT Pros - StorageCraft.” StorageCraft

Technology Corporation, StorageCraft Technology Corporation, 28 Apr. 2017,
blog.storagecraft.com/business-continuity-statistics-tech/.

Kavur, Jennifer. “Symantec Releases Disaster-Recovery Statistics.” CIO, CIO, 6 July 2009,
www.cio.com/article/2426645/security0/symantec-releases-disaster-recovery-statistics.html.

Velente, Nancey. “Business Continuity and Disaster Recovery - Which Comes First?”
CIOReview, disaster-recovery.cioreview.com/cxoinsight/business-continuity-and-disaster-
recovery-which-comes-first-nid-26892-cid-106.html.

Charts:
RPO/RTO : https://www.cloudberrylab.com/resources/blog/recovery-time-objective-rto-
explained/

ISO Definitions: https://www.iso.org/standard/50038.html