When people start to develop plans to deal with a major impact event they are confronted by two different terms: Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP). A mistake often made by organizations is that if they have a DRP that they are OK. That is not the case. There is quite a difference between these two plans and it is important that your organization understands the differences, and what type of planning each requires.
Disaster Recovery Plan
Many organizations put the responsibility of mitigating operational risk on the IT department. I believe that is a misconception caused by organizational management understanding their business, but perceive IT as complicated and something they do not understand. Then, they look to the IT department to mitigate the risks in IT. My position is that the responsibility of mitigating operational risk falls on the Finance department since they are responsible for all the day to day accounting for the business leading to profitability. Therefore, the Finance department must ensure all risk to profitability is defined and mitigated.
The first step that an organization needs to take is to perform a risk assessment. In short, a risk assessment will identify and estimate of the types and levels of risk that will impact the organization. The next step is to compare the uncovered risks against the determination of the acceptable level of risk within each department in the organization. What should come out of the completed risk assessment are a set of risks throughout the organization, impacting both the IT and the business functions.
The risks that are identified as impacting IT will fall under the Disaster Recovery Plan. The risks that are identified as impacting the business functions will fall under the Business Continuity Plan. While the 2 plans will have details that are interrelated, the 2 plans must be defined, developed and maintained separately to be completely effective.
from BCNJ Member Blog Feed http://dlvr.it/LBxvyy