First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

How does IT recovery planning differ from business continuity planning?

backuprestoreBackup and disaster planning should be evaluated as part of an organization’s overall risk management process. There are two elements to disaster planning:

  • Business continuity planning—Ensures the availability of critical business resources (including the IT processes that support them)
  • IT recovery planning—Ensures the availability of critical IT resources

In the event of a disaster, management must know:

  • Where the disaster recovery plan documents are located
  • Which employees must be contacted immediately
  • The skill sets needed to continue critical business processes
  • Which service providers and other outside agencies may be contacted to provide emergency assistance and services
  • What information needs to be imparted to customers and clients regarding changes to business processes that will be followed during the disaster recovery period

The role of IT in business continuity planning continues to grow as organizations become more dependent on automated systems and instantaneous responses in routine operations. For example, retail customers increasingly expect almost instant transaction processing, payment approval, and order fulfilment feedback. Business customers expect immediate information about inventory availability and order tracking. The success of a business is often determined by automated, IT-driven response times.

The following chart shows the relationship between business continuity planning and information technology recovery planning.

Business continuity planning Information technology recovery planning
To ensure that critical business processes can continue, or be resumed promptly, in the event of significant disruption to normal business operations To ensure that critical infor­ma­tion systems processing func­tions can continue or be resumed promptly in the event of significant disruption to normal computer operations
Responsibility Business units Service providers of computer operations and systems support
Focus Critical business process continuity and recovery Continuity and recoverability of supporting IT resources
Cost/benefit considerations Cost of providing continuity and recoverability should be commensurate with the risk of unavailability
Resources addressed
  • Space, furniture, equipment
  • People (staff)
  • Communications not covered by IT
  • Supplies
  • Support services
  • PCs, desktops, notebooks
  • Servers, centralized IT equipment
  • LAN/WAN infrastructure
  • Routers, hubs, network, etc.
Documentation required Business unit recovery plans, in as much detail as practicable IT recovery plans, in as much detail as practicable
Testing Critical business process recovery IT resource recovery

Your disaster recovery team

Disaster recovery planning (DRP) for IT processes must be driven from the top. It can be a challenge for busy employees to focus on disaster planning issues. Accordingly, the planning process must be led by IT professionals who have been given a clear mandate and the required resources by executive management. The disaster planning team (DPT) will work with employees directly involved in developing, implementing, and executing IT applications, and with other employees as required, to develop the plan.

A disaster planning team (DPT) should be established with a clear mandate regarding:

  • The team members, and their specific roles
  • Additional resources provided from each company IT site to develop that site’s disaster recovery plan (DRP)
  • Specific expected deliverables
  • The schedule for completion of each site’s DRP
  • The percentage of each DPT member’s time to be devoted to the development of the DRP to meet the required schedule, since a full-time DPT may be difficult to justify
  • What constitutes satisfactory testing of a site’s DRP

If insufficient resources are available to develop a DRP within the required schedule, the company may consider hiring contract personnel to establish the initial DRP under the direction of the company DPT leader. It may also choose to hire a professional consultant to develop the DRP with more limited involvement of the company’s IT staff.

Because a disaster can affect not only IT processes but also other critical processes, an IT disaster recovery plan must be developed as part of an overall organizational DRP. This overall plan should consider:

  • Employee and customer communications
  • Office and manufacturing space and furniture
  • Personnel accommodation (e.g., temporary housing)
  • Transportation
  • Electrical power supplies
  • Telephone systems
  • Food supply and preparation
  • Relief personnel to handle additional workloads during the recovery process

Information Technology PolicyProLearn more about IT recovery planning in Information Technology PolicyPro co-published by CPA Canada and First Reference.

Follow me

Jeffrey Sherman

Chief financial officer, author, lecturer and professor focussing on corporate finance at Atrium Mortgage Investment Corporation, Canadian Mortgage Capital Corp., Trimel Pharmaceuticals Corporation, and Anagram Services
Jeffrey D. Sherman, BComm, MBA, CIM, FCA, is a director or CFO of several public companies and has had over 20 years of executive management experience. He is the author of Finance and Accounting PolicyPro, Not-for-Profit PolicyPro and Information Technology PolicyPro (guides to governance, procedures and internal control, all published by First Reference and the CPA). Read more
Follow me

, , , , , , , ,

Comments are currently closed.