keys to implementing a BCP and DRP (Business Continuity Plan – Disaster Recovery Plan)

In recent times, organizations have become increasingly concerned about incidents that could jeopardize their business. Events as shocking as attacks, large-scale cyberattacks or pandemics are no longer considered implausible scenarios, opening the way for new strategies and business models.

In the field of Business Continuity, we can define these contingency scenarios as events that could lead to a prolonged interruption of activities, creating a situation of business loss, emergency and/or crisis.

It is here where a series of processes, actions and procedures must be executed in a synchronized manner and with the highest priority, in order to guarantee delivery of products and provision of services, safeguarding integrity of our organization. We naturally refer to Business Continuity plans and procedures (BCP or DRP).

There are several plans and documents that guide organizations in front of contingency scenarios; in prioritizing, communication and acting to face these events, where it is preferable to have a previously defined action strategy than to resort to improvisation.

Below, we will mention some of the most important:

• Business Continuity Plan (BCP): consists in information and set of plans and procedures required to respond to a disruptive incident, in order to resume critical business activities. An organization’s BCP is made up of a series of specific plans that, when activated, provide a joint and coordinated response by different areas of entity.

As an example, in the face of a severe breakdown in a critical production line in our facilities, it may be necessary to activate our BCP, initiating a series of processes, actions and communications that allow us to return to activity in the shortest possible time.

Depending on breakdown severity and nature of incident, it may be necessary to activate other specific plans, such as those mentioned below.

• Business Continuity Specific Plans:with these plans, we refer to actions aimed at recovering one or several activities, depending on specific contingency scenario.

Following with previous example, in the face of a failure in our production line, we can activate a specific plan previously conceived, which guides us in resumption of production. Some questions that this plan could contain are:

1. Criteria for use of a safety stock: if estimated resolution time may endanger delivery to client in time and form or even to cause legal or contractual breaches.
2. Alternative production method: use of secondary line, temporary outsourcing, etc.
3. 3. Contact with personnel and maintenance suppliers.
4. Information reporting requirements: to periodically scale status of contingency and actions, update resolution time estimate, etc.
5. Activation of other plans, procedures and call for decision committees.

• Disaster Recovery Plan (DRP): A Disaster Recovery Plan describes actions for recovery of information systems, IT infrastructure and company’s platforms and applications. Its character is fundamentally technological.
• Crisis Management Plan:It defines criteria of activating a crisis, as well as organizational structures and information escalation necessary for decision-making during a corporate crisis. Usually, it is the first plan that is activated as soon as incident occurs.
• Communication Plans: It establishes necessary communications with different interested parties, both internal and external, in the face of relevant events for company, including Business Continuity and Crisis scenarios.
• Plans for Returning to Normality: Actions aimed at recovering level of activity prior to incident, once contingency has been saved and organization is providing its services with a minimum acceptable level. De-escalation phases that is taking place in Spain as a result of COVID-19 pandemic, would be an example of this type of plan.

• Emergency Plans:Acting procedure to be followed in the event of risk events, minimizing effects on people and describing steps for a safe evacuation, if necessary.

It should be noted that not all plans have to be activated simultaneously in case of a contingency. It will depend mainly on the nature of problem and of magnitude of the event.

For example, in the face of an incidence related to a failure in a critical software of company, activation of our DRP may be necessary, but obviously activation of emergency plan will not be necessary and, depending on resolution time, can there not be sufficient criteria for activation of crisis or communication plan.

From GlobalSuite Solutions, we can help you in the implementation, maintenance and improvement of your Business Continuity Plans,through our specialized consulting and thanks to our management software, GlobalSuite®.