The preservation of a company’s information systems is essential to its smooth operation, and its continuity is a major stake, especially in the event of problems or natural disasters. Business interruption caused by IT failure can be fatal to companies, no matter their size.
One of the main defences against these hazards consists in implementing disaster recovery and/or business continuity plans (DRP-BCP). But what do they consist of? How to implement them? And what are the challenges of these plans?
What is at stake?
Beyond the mandatory compliance, imposed by regulators, implementing business continuity and recovery plans for banking institutions attempts to answer 5 major questions:
- How to return to a normal level of activity in a short time, without major data loss;
- How to communicate with various stakeholders in the event of a crisis;
- How to limit the consequences in terms of financial costs and damage to the brand image;
- How to ensure operational resilience;
- How to monitor the emergence of new threats.
It should be noted that most African monetary zones makes having a DRP-BCP mandatory, to varying degrees of thoroughness. The ECCAS includes this obligation in the COBAC R – 2008/01 regulations. Contingency and business continuity plans are the subject of Chapter 3 of WAEMU Circular 04-2017/CB/C on risk management in credit institutions and financial companies in the union.
Disaster Recovery Plan (DRP)
A Disaster Recovery Plan (DRP) is an internal procedure for the recovery of a company’s activity in the event of the failure of its information system, among other things. DRP can plan for partial or full business activity recovery.
The objective of this plan is to anticipate and mitigate the effects of a disaster, such as a flood, a fire, or other natural disasters, but also of attacks on your company’s IT infrastructure. The plan has to be assessed beforehand, listing all the sensitive business data and applications to be duplicated and backed up, but also has to account for the training of people within your company who will be responsible for putting this DRP into action in the event of a crisis.
Being preventive, it should of course be defined and put in place before a disaster. Depending on the size of your infrastructure, developing an effective DRP can take up to a year to properly map the critical parts of your systems.
A DRP does not generally aim to back up and protect everything: that is generally untenable in terms of resources. Their main objective is to identify what is critical to the operation of the business, even at reduced capacity, in order to restore activity as quickly as possible in the event of problems.
Business Continuity Plan (BCP)
A BCP (Business Continuity Plan) has a broader scope: the aim here is to maintain the activity of a company in the event of a major failure, while it is happening.
The COVID-19 global pandemic crisis is an example of the major disruptions that BCP are designed to prepare for. Several scenarios need to be planned for in a BCP, generally divided into 4 distinct natures:
- IT systems failure;
- impracticality of the premises;
- extreme worsening of conditions or interruption of market operations;
- the massive unavailability of skills.
This article deals here in particular with the IT infrastructure, which is nowadays critical to the functioning of companies. In this context, a business continuity plan makes it possible to maintain high availability and to continue working, even in the event of an incident..
What is the difference between DRP and BCP?
To better explain the difference between the two type of plans, let’s take a different example, on another scale: your computer’s power supply. A BCP, here, could be a UPS connected to your computer. In the event of power loss, a battery system takes over automatically and transparently. There is no loss of power, and your computer continues to function in the same way as it would when connected to the mains. A signal is emitted, telling you that you are on the backup system; but you can continue working without losing your work, as long as the backup power remains, until the power grid returns to function.
A DRP would be more like an external hard drive, where you regularly back up your work. In the event of a power failure, you would simply recover your backup, for example on a battery-powered laptop, and resume your activity, albeit from a slightly older point in time: the time of your last backup.
On the scale of a complete information system, the same situation applies: a DRP is an effective backup of your data and applications to be recovered in the event of a crisis; a BCP is a duplicated system in real time, which can take over in the event of problems.
The difference between the two is, ultimately, in the acceptable amount time for the company to recover from a production or activity shutdown: a BCP guarantees business continuity, a DRP a rapid recovery.
What are the objectives of DRP-BCP?
DRPs-BCPs cannot be effective unless they include all the critical elements that make up your information system. If the scope is too narrow, there is a risk that your activity will be degraded too much, or even be impossible to resume, in the event of problems. Too broad, and the recovery plan becomes a runaway cost.
One of the primary goals in establishing a good DRP-BCP is therefore to define the exact scope of what is needed to keep the business running. This may be a list of physical servers, databases, software, an e-mail system, etc. Each company is unique in its operations and will therefore have different requirements.
This is why it is important to call on trusted experts when mapping what is to be protected: it is easy to see that backing up the company’s internal chat logs is perhaps less important than backing up or maintaining the billing and accounting system. Again, it is through careful assessment that a list of the information system’s critical points can be established.
Two important values must then be defined: the RTO (Recovery Time Objective) and the RPO (Recovery Point Objective). The first is the maximum downtime of your critical systems; the second is the maximum time it is acceptable to lose data.
This is where DRPs and BCPs differ greatly: the DRP will always have an RTO greater than zero and an RPO greater than or equal to zero. A BCP, on the other hand, will always have both RTO and RPO equal to zero.
In the case of the banking industry, a DRP might typically have an RTO of one or two hours, depending on the services covered; the RPO must be zero, as it is essential not to lose any transactions to avoid loss of funds. In France, the Comité de la Réglementation Bancaire et Financère (CRBF) imposes that businesses in the financial sector must have a contingency plan for business continuity. In the United States, and more generally worldwide, PCI-DSS imposes strict data backup rules. Similar legislation and regulations exist in most countries, to ensure the continuity of operations expected of the banking world.
How to implement a DRP-BCP?
Once the critical infrastructures have been identified and the recovery times decided, it is then a matter of putting in place an effective backup strategy within the framework of a DRP, or the duplication of systems within the framework of a BCP.
A detailed backup policy should be defined and followed. A basic rule, known in the IT industry, is the 3-2-1 rule: three backups, on two different types of media, with one of the copies offsite (i.e. away from your premises; the further the better). The aim here is to maximise the chances of data recovery, in the event of a natural disaster, or technical failure: by using two types of media (e.g. magnetic storage, and tape storage), and by having one copy far away geographically, it becomes easier to make sure a working copy exists.
It is also essential and mandatory to regularly test backups and the backup system to ensure that they can be restored in the event of damage. A tragically famous example would be MySpace, a social network from the turn of the century; all the content posted by its users from the site’s inception until 2015 was lost during a datacentre move. The backups had been silently corrupted for years, and could not be recovered. Although this data cannot really be considered critical, the losses destroyed the remaining reputation that the platform enjoyed.
BCPs go even further: we are now duplicating your critical infrastructure on your premises, but more ideally in a geographically remote location, or in a private cloud. These installations must be duplicated in real time or very regularly. This way, an “emergency” information system is always available and up to date, ready to be deployed in case of problems.
In a situation where there are bandwidth constraints and the RTO may be longer than one hour, it may be possible to use the connection you already have outside business hours to back up critical data during this period. This lessens the impact on connectivity during the business day, but adds the risk of losing the day’s worth of data in the event of a disaster. A BCP almost doubles the bandwidth requirements (at least on exchanges between critical systems), but ensures virtually no business interruption.
In any case, it is absolutely critical to clearly document all these procedures, to train the disaster response teams, and to continually test all crisis scenarii; countless examples in 2020 showed the importance of a business continuity plan during the early stages of the pandemic, and the institutions that were able to come out on top were those that were prepared to respond in the event of a disaster, in an organised and planned manner.
What are the benefits of DRP-BCP?
Companies are increasingly resorting to DRPs and BCPs; a major concern for the company being having its data backed up. In an increasingly digitised world, information systems play an important role in the functioning of a company. The loss of data can have a big impact on a business, or even shut it down completely; some companies will not recover from such an event.
Implementing a disaster recovery or business continuity plan allows to continue to provide service to customers and to restore information systems within a reasonable timeframe. In the case of natural or man-made disasters, a BCP can even be a competitive edge, if your competitors also suffer from the same disaster.
This is the IT implementation of the popular adage, “prevention is better than cure”.
The opportunity to establish a BCP also allows you to map in detail what is critical to the functioning of your business. A better understanding of what is critical can also help to focus attention on certain systems in a cyber security policy, which is a key focus today, especially with the advent of new financial tools, the development of cryptocurrency and an ever-increasing demand for digitisation of all financial and government services. The stakes are growing exponentially, and data security will be the keystone of the banking world’s durability and resilience.
Finally, it is also a very useful part of a crisis management plan; having made decisions in advance, it becomes easier to bounce back from problems.
For more information, please contact us.