Business continuity
207
the organization continues in existence. There may also be a wider need for a specific 
plan to manage any crisis that may result from an operational disaster. The main 
difference between the disaster recovery and crisis management plans is that the 
disaster recovery plan will be mainly concerned with actions to restore the infrastructure 
of the organization and a crisis plan will also be concerned with external stakeholders 
and actions to manage the associated stakeholder reaction and expectations.
For a printing firm IT systems are fundamental to the operation of the company, 
because the computer systems process orders, schedule printing and manage invoicing. 
For such a company, it may be appropriate to arrange for a mobile emergency computer 
facility to be available in case of major IT failure. If this decision is taken, a contract 
should be set up with an outside company for a duplicate computer to be delivered 
in a trailer to the premises of the company. The duplicate computer would then be 
connected and the operations would be controlled from the duplicate computer
in the trailer. The success of this arrangement will depend on the availability of
information from back-up disks that should be produced at least once per day and 
possibly several times per day.
There has been considerable discussion about the nature of business continuity 
and disaster recovery in terms of the types of control that they represent. HM 
Treasury in the UK considers these controls to be corrective, whereas the Scottish 
Government considers them to be directive. In terms of loss control, disaster recovery 
plans can be seen as primarily damage limitation controls, whereas business continuity 
controls are more concerned with cost containment.
The discussion of whether disaster recovery and BCP should be considered as 
types of control is, perhaps, not fundamentally important. The important issue is 
that disaster recovery and business continuity plans are concerned with circum-
stances where the event is taking place or has occurred. To that extent, DRP and BCP 
can be considered to be responses for when the event occurs and they do not take 
into account how likely it is that the event will occur.
An example in personal life is the use of seat belts in cars. Passengers in cars wear 
seat belts for when a road accident occurs. In many countries, the use of seat belts is 
compulsory and passengers are not required to undertake an evaluation of how 
likely they are to be involved in a road accident when deciding whether to wear their 
seat belts for that particular journey.
Many organizations are now taking the view that BCP should be viewed as having 
three components. The first response to any major event is to activate the crisis
management plan to ensure appropriate response to the crisis and, in particular
ensure that stakeholders are aware of the situation. This will require effective com-
munication with all stakeholders, so that the damage to reputation resulting from 
the incident is kept to a minimum.
Secondly, the organization will then seek to recover from the event by implemen-
tation of a disaster recovery plan. However, as the disaster recovery plan is being 
implemented, the organization will still need to consider the ongoing management of 
the crisis. The organization should ensure that implementation of the disaster recovery 
plan is viewed as the second, but sometimes overlapping, stage of responding to the 
incident. In fact, in certain circumstances, it will only be possible to implement the 
disaster recovery plan once the immediate crisis has been contained.

Download 3.45 Mb.

Do'stlaringiz bilan baham: