Business Continuity Management (BCM) is not just about plans and documents; it is also about developing and maturing a capability to recover the organisation whenever required. A key component in this capability is ensuring the necessary infrastructure and facilities are available to meet the organisation's requirements at the time of a disaster, incident, or disruption and ensuring that this recovery environment can operate as required.
The Continuity Requirements Analysis (CRA; sometimes included within the BIA) will highlight the essential items needed to continue the most critical activities and will estimate how quickly these items need to be provided. To validate these requirements in the simplest way (especially if CRA did not form part of the company's Business Continuity programme), the concerned business managers should be brought together, given a blank sheet of paper, and asked to list their most critical requirements for continuing the most important activities identified in the BIA.
Once the business has identified the systems or applications it requires, the IT people can identify the dependencies and components needed beyond the basic hardware and software requirements (e.g., network links, data communication links, SAN or NAS storage, etc.). In the complexity of today's business environment, there are also often data dependencies between systems; therefore, the availability of one system can often depend upon one or more others. This produces the need to recover these other systems simultaneously to maintain data and transaction consistency and integrity.
For those organisations that decide to implement recovery and standby facilities, such as a business recovery site (office) for staff and an IT Disaster Recovery data centre for backup systems, IT equipment, and communication links, the solution does not stop there. Implementation is the easy part and only the "tip of the iceberg" for the work required to achieve the capability of recovery.
The most challenging part of implementing recovery facilities is the need for maintenance and upkeep. Once implemented, any changes to or within the organisation that could affect the usefulness of these recovery facilities should be assessed, and where necessary, the recovery environment should be amended to include these changes, thereby ensuring the recovery environment is ready for use at all times. Here is a list of some of the most likely things that could change in your organisation and require changes in your recovery environment:
PCs: Quantity, performance and specifications, operating system, anti-virus software, personal firewalls, security patches and associated updates.
PC Software: The software installed on the desktop (including its version and any updates), any files stored locally, browser settings (such as favourites), drive letter mappings, templates and any embedded code (such as Excel macros).
Printers: The make/model, printer drivers, and spare toner cartridges.
Multi-functional devices (MFDs): The list of users, PIN numbers, and email addresses (to email scanned documents).
Telephones & fax machines: Pre-programmed numbers, short dial codes, and direct-dial numbers (especially for fax numbers given to clients and third parties).
Stationery: Basic supplies of office stationery are always required, as well as stocks of pre-printed forms and headed stationery (letterheads, compliment slips, etc.).
IT DR data centre
Servers: Configuration, specifications, operating system, anti-virus updates, database versions, security patches and updates/big fixes for all software.
Communication links: Addition of new communication links or changes in bandwidth of existing links.
Network storage: Configuration, storage space, and specifications.
System priority: New applications, introduction of new functionality, or launch of new products or services could change the importan