Speaker 1: In business, when we look to create something new, we need to follow a process, which is much like a recipe, really. Because if you go in the kitchen to make a batch of cookies, you're going to follow a recipe. Otherwise, there's no telling what you're going to end up with, and you're probably not going to want to eat it. So, in business, we follow a process so that we can enhance our chances for success of creating something usable. And that means it's time to jump in and take a look at the business continuity and disaster recovery planning process. So, the first thing we're going to do in this process is assign ownership, and that's because we need something. We need accountability. So, we assign who has ownership of our business continuity and who has ownership of our disaster recovery planning. And again, business continuity and disaster recovery are very similar, and a lot of it overlaps, like a whole lot. And when it comes to the process of planning, that overlaps as well, 100%. We go through the same process for each of them. So, once we identify who will be accountable for these plans, we have ownership at that point. So, now we can start with the rest of the process, which continues with developing a policy for business continuity and disaster recovery. Because every program or anything we do in business should have a policy around it. So, we have a policy that's going to define what our purpose is of the disaster recovery and business continuity plans. You know, what is the purpose of these plans? So, we need to identify this early on so we know what our target is. That is our purpose. Then, next, we have a scope. We need to identify the scope of what this disaster recovery and business continuity planning will cover. Will it cover the entire organization as a whole? Will it cover only certain parts of the organization? Or maybe certain branches of the organization? Just depending on what we're looking for. Now, it will most likely include the entire organization, but there are instances where we might not want to. And then, lastly, we need to define the authority of the program. So, what authority does the program have or those running the program within the organization? So, they can do things like, you know, make decisions on behalf of the organization to get things back up and running sooner rather than later. So, those are three things that we need as part of our policy. We need to have a purpose. We need the scope. And, of course, the authority. And, as I mentioned before, the business impact analysis. Now that we have someone in charge of the business continuity disaster recovery plans. And, again, those are two separate plans. But we have someone who's going to wear the hat of the in-charge person. And we have also defined a policy. We've created it and put it into play. So, those are the two things that we started with. We now need to execute a business impact analysis. Now, this is where we're going to go through and identify key business processes. And we're going to take that list and we're actually going to prioritize it. And those key business processes are what keep the business alive and functioning. And once we identify those, again, we're going to prioritize them. And we should define a statement of impact for each of those items listed. So that we know what will happen if we lose that service. Will we lose email capabilities? Will we not be able to produce a certain product? Will we not be able to process payroll? You know, what is the statement of impact if we lose that key business process? So, that's the third thing. We perform our BIA. Then we take that BIA information and we put it through some critical analysis, which is step four. And the critical analysis analyzes the risk. There's our key word there again, risk. And we analyze the risk associated with that key business process. So, that is important. We're going to analyze the risk associated with it. Then we're going to define the likelihood of occurrence. That's our next step. So, we know how risky it is. Maybe we define a scale. One, two, three, four, and five. Five being a super high risk. And one being a low risk. So, that way we have a risk scale. And then we have a scale of likelihood. Maybe one, two, and three. Low, medium, and high of likelihood. And this way we can actually take risk multiplied by likelihood. And we can come up with a value that's associated with our critical analysis. Once we've completed that, we need to go through and establish our recovery goals. We now know by performing our critical analysis what the impact and likelihood of given scenarios and services are. So, now we need to establish what our recovery goals are going to be. Meaning, do we need to recover this within an hour? Within six hours? Within 24 hours? Because we now know the impact it's going to have on our organization for every second that it's down. And the likelihood that it will occur. Now, we covered these exact terms in the risk management objectives video. Let me put that up here. Risk management objectives. So, if you go to that video as part of this series, you'll go over all of these recovery goal terms in detail. Right now, we're just going to kind of run through them. Starting with maximum tolerable downtime. And that is the maximum amount of time that we can be down and still survive as a business. Then we have maximum tolerable outage. And this is the maximum downtime per type of outage. Because there's different types. You could have power outage. You could have service outage. There's various types of supplier outage. Whatever it might be for a given scenario. And, again, these are going to be for individual services. Because we're not going to have the same MTD, MTO, and others as we go through them for every service. It's not a global number. Each of these services that we identify in our BIA is going to have a different value for whatever these recovery goals are. For instance, our payroll system. Well, we might be able to go four days without our payroll system being up and running. So the MTD for payroll might be four days. But when it comes to something like our inventory database, well, that can only be down for six hours or we're really going to be behind. So its MTD might be six hours. Then we have recovery time objective, RTO. And the RTO is what our objective is as far as how long we want to be down. So this is really our goal for outage. So if your RTO is four hours, then you want to be back and running within four hours. Then we have RPO, recovery point objective, and that deals with the amount of data loss you're willing to accept. And that's because our backups run at different periods. So if they run every six hours, well, then you could lose up to six hours of data. So your RPO is your recovery point objective. That's a point in time. So how much data are you willing to lose? Then we have our RCAPO, and this is our recovery capacity objective. And this deals with basically a workaround. How long can we run in a workaround state and still be effective? Again, we covered all these in depth in the risk management objectives video. So it would be a good place, if you don't recall these, to go back and review them in detail. So once we've established our recovery goals here, well, then it's time to move on to creating a recovery strategy and plan. Now, this includes identifying a recovery solution and plan. Now, of course, our strategy is everything we need to do to get from today to where our recovery goals are. So all those things in between, that is our strategy. And it might be, well, definitely one of them is going to be identify a recovery solution. We're also going to have to define a plan, and there's other things in there as well. So here's the thing with the recovery solution. It needs to meet our recovery goal. So if we had a recovery time objective of six hours, that means we don't want to be down for longer than six hours for a given service. We need a recovery solution that's going to allow us to recover in less than six hours. The thing with this is the lower the RTO, most often it's going to cost more money. Meaning the recovery solution that we're working with up here is going to be a high-dollar solution. Because if you're wanting to recover within just a few minutes, then you're going to have to pay for that technology. But if you have an RTO of 24 hours, then you can use traditional backups and such, and it's going to be a much lower cost. Once we've defined our recovery strategies and our recovery plan, so we know how to use this recovery solution. That's what our plan is going to do for us. Well, then we need to go and we need to test these recovery plans to make sure that they actually work. Because we don't want an event to occur and then our recovery plan to absolutely fail. That would be a really bad day. So we, of course, need to test our recovery plans and we need to document and address any shortcomings in that plan. So that it does not become a problem. Then we need to train all of our personnel involved in those plans so that they know exactly what they're supposed to do. We have tested and verified that the plan is good to go. It works. So that means now we need to take all of our people and we need to identify the roles and responsibilities within the plan. And we need to start assigning those responsibilities and roles to these people. Then we need to provide all those people training on that plan and their roles and responsibilities. That way everybody knows who does what. Each person gets training on their roles and responsibilities so they know how to do it. And that's very important, how to do it. And this is what's going to be key to the success of your disaster recovery and business continuity plans. And that is that everybody knows what they're supposed to do and, of course, how to do it. And lastly, we need to maintain these plans because these are living documents. And what I mean by that is they change. People move roles. They leave the organization. New people come in and take over roles. That means we need training. We need documentation updated. We need to ensure that everyone knows what they're supposed to do. But we also have new systems, new processes that are added to the organization. That means they also need added into the business continuity and disaster recovery plans so that they will be able to be restored in a timely manner, meeting our goals and reducing the impact an event will have on our organization. And that is the business continuity and disaster recovery planning process. I hope this has been informative for you, and I'd like to thank you for viewing. Thanks for watching, and subscribe here to get the latest from CBT Nuggets. And if you're interested in IT career or learning more about IT in general, hey, swing by cbtnuggets.com and sign up for a free trial.