What Are BCP, DRP, and IRP Plans, and Why Does Your Business Need Them?

Have your servers or networks ever failed?

Did you experience downtime that interrupted your operations?

Undoubtedly, at some point, your business has been affected by internal or external factors, which have resulted in painful financial consequences.

Today we will touch on three plans that will help you and your business avoid and mitigate risks to continue operating during an unplanned event.

At Clearbridge Business Solutions, we help businesses across BC develop an effective Business Continuity Plan (BCP), Disaster Recovery Plan (DRP), and Incident Response Plan (IRP).

Read on to learn more and reach out to us today if you are ready to get started!

1 – Interesting Stats

Did you know that 75% of small businesses have no disaster recovery plan (DRP) in place?
96% of companies with a business continuity plan (BCP) and disaster recovery plan (DRP) were able to survive ransomware attacks.
93% of companies without a disaster recovery plan (DRP) who suffer a major data disaster are out of business within one year.

2 – Business Continuity Plan (BCP)

A business continuity plan (BCP) identifies the critical functions and services your business delivers. Therefore, it plans for how you would maintain or resume them in any disruptive event or emergencies like a power outage, fire, flood, or earthquake.

In a disaster, your business could suffer catastrophically without a proper plan.

The most obvious impact is financial loss; the longer your business goes without delivering its products and services, the greater its financial losses.

There can also be technological consequences. For example, the loss of critical or sensitive data.

Having a business continuity plan (BCP) in place can help companies minimize the consequences of a catastrophic event.

In addition, a BCP also provides peace of mind. Employees and business owners alike may feel more comfortable in a work setting with clear policies for how to respond to disasters.

Remember, this plan is separate from a disaster recovery plan (DRP), which focuses on recovering technology facilities and platforms.

Unless otherwise modified, a BCP does not address temporary interruptions that have not been determined to be critical to business operations. To expand, temporary interruptions could be a situation where an occurrence interrupts an employee’s workday, such as having to deal with a sick child or closed daycare.

So, where should you start? Create continuity teams; we recommend two business continuity teams:

BCP coordination team
BCP response team

a) BCP Coordination Team

This team is responsible for drafting and finalizing the business continuity plan (BCP). This includes developing an outline with the necessary steps to create the plan. Moreover, this team is also responsible for ensuring that the team completes each step.

b) BCP Response Team

This team is responsible for responding to a disaster, which includes assessing potential damage to the facility(ies).

These teams work together to ensure that your business can function effectively during a crisis. Furthermore, they help you resume business operations as quickly as possible.

c) BCP Steps

Step 1: Assemble your team.

Step 2: Make sure your employees are safe and well.

Step 3: Understand the risks that impact your business. *BIA

Step 4: Implement recovery strategies.

Step 5: Test, test again and make improvements.

d) Business Impact Analysis (BIA)

As part of your BCP, a business impact analysis (BIA) is a process that allows us (in this case, Clearbridge will work with you) to identify your critical business functions. In addition, it helps predict the consequences a disruption would cause on one or more of those functions.

It also allows us to gather information needed to develop recovery strategies and limit a potential loss.

As a result, it will also allow each department within your organization to explain and discuss how an unexpected event would affect their business function.

So, the BIA identifies the operational and financial impacts of a disruption to business functions and processes.

Some areas to consider include:

Lost sales and income.
Delayed sales or income.
Increased expenses (e.g., overtime labour, outsourcing, expediting costs, errors, etc.).
User error or malevolence.
Regulatory fines.
Contractual penalties or loss of contractual bonuses.
Customer dissatisfaction or defection.
Delay of new business plans.

Circling back to a BCP, it should contain:

Initial data at the beginning of the plan, including important contact information.
A revision process including details about when and who modified it and a way to track the review cycle.
The purpose and scope.
How to use the plan, including a timeline.
Policy information.
Emergency response and management procedures.
Step-by-step procedures.
Checklists and flow diagrams.
A glossary of terms used in the plan.
A schedule for reviewing, testing, and updating the plan.

e) Business Continuity Exercise (BCE)

Without running a business continuity exercise (BCE), your business will never know if its BCP is effective.

Exercising is essential to develop, assess, and approve your business’ BCP response capability.

As a rule of thumb, aim to carry out tangible and realistic simulations.

Participants will feel more engaged and gain value from running the simulation.

f) Areas of Focus

Test plan for critical activities – Conduct controlled testing for individual critical activities, ensuring they can be recovered as planned in your BCP.

A test plan for critical activities often involves departmental or divisional levels.

You may utilize a disaster recovery plan (DRP) if your business relies on IT.

Invoke testing of individual departmental or business unit plans – This is an exercise for a single department or business unit.

Again, the exercise should be tangible and realistic as opposed to simulated (e.g., closing an office to test your business’ secondary location or working from home strategies).

Technical testing – This is a test of equipment, recovery, procedures, or technology.

During this test, you want to assess the ability to recover key systems or establish whether all the relevant equipment, infrastructure, services and security controls will perform as required.

Full BCP exercise – This exercises the entire business’ plans, including an incident response plan (IRP).

Sometimes called a global exercise, this type of exercise is dependent on how critical the products or services provided are and how much the organization can tolerate the impact.

Thus, a full BCP exercise requires meticulous planning and approval from the highest level of the business, along with one crucial rule—that the exercise itself cannot be allowed to cause an actual incident!

g) Common BCE Scenarios

Cyberattacks.
Pandemics.
Physical Disruptions.
Natural Disasters.
Power Outage.
Network Outage.
Emergency Communication.

The simple truth is that without ever conducting a thorough BCE, you will never truly know if you can cope with the worst-case scenario. To learn more about BCE, contact us today.

Accordingly, a well-thought-through business continuity plan (BCP) paired with a tangible and realistic business continuity exercise (BCE) can help employees understand their role in responding to disruptions.

Furthermore, many companies run regular awareness training sessions and include business continuity as a key topic during the onboarding process.

Training can then improve the business’ resilience because some things in life are unavoidable.

We certainly cannot control the natural weather cycles which lead to most of these unforeseen situations.

However, by doing your due diligence, starting your business continuity plan (BCP), and conducting a comprehensive business impact analysis (BIA), your organization will be well prepared to maintain business functions and overcome those unavoidable situations!

3 – Disaster Recovery Plan (DRP)

A disaster recovery plan (DRP) focuses on restoring data access and IT infrastructure after a disaster or cyberattack.

Disaster recovery involves steps to respond to an event and return to safe and regular operation as quickly as possible.

For instance, Clearbridge maintains and regularly tests a disaster recovery plan (DRP).

In the event of a disruption to critical IT services, the disaster recovery plan (DRP) takes all of the following technology areas into consideration:

During a disaster, the disaster recovery lead (Clearbridge or your IT provider) will be responsible for restoring normal function.

a) The Disaster Recovery Process

Clearbridge’s or your IT provider’s role will be to guide the disaster recovery process and all other individuals involved in the disaster recovery.

The disaster recovery lead and responsibilities are as follows:

First, determine that your business is declaring that a disaster has occurred and trigger the disaster recovery plan (DRP) and related processes.
Second, be the single point of contact for and oversee all the disaster recovery team.
Third, organize and chair regular meetings of the disaster recovery team throughout the disaster.
Fourth, present to the responsible party the state of the disaster and the decisions that must be determined.
Lastly, organize, supervise, and manage the disaster recovery plan (DRP) and author all DRP updates.

During a disaster, cloud-based applications should continue to run uninterrupted, but if they are not still running, use backups to redeploy into a different region. As a result, this does take some time, however, to transfer the required data and turn on the applications again, potentially updating links and shortcuts as needed.

Therefore, by adopting a cloud-first approach, we can leverage those providers’ scaling and redundancy.

If you don’t currently have a dedicated IT provider, the staff at Clearbridge are qualified in Amazon Web Services (AWS). As such, they cross-train regularly to expand their knowledge base, in addition to understanding detailed internal documentation so that they can handle recovery work in parallel.

4 – Incident Response Plan (IRP)

Your business should have a formal, focused, and coordinated approach when responding to security incidents.

To explain, an incident response plan (IRP) is an organized method that allows you to document the roles, responsibilities and steps your team will follow to identify, contain, eradicate, and recover from security incidents.

Steps include Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

For example, security incidents include unauthorized attempts to access systems or data, insider threats, phishing attacks, malware attacks, password attacks, man-in-the-middle attacks, etc.

a) Purpose

Your business IS A TARGET.

Today’s cybercriminals are equipped with sophisticated methods that put your data, systems, and information at risk.

As such, you need an incident response plan (IRP).

It ensures that your business is prepared to manage cyberincidents effectively and efficiently.

And so, with the right plan and team in place, your business will be better prepared to handle inevitable incidents, contain any damage made, and mitigate further risks to your company.

Furthermore, your incident response plan will allow you to deploy resources in an organized fashion with exercised skills and communication strategies.

Thus, an IRP is an overall plan for responding to security incidents.

It identifies the structure, roles and responsibilities, types of common incidents, and the approach to preparing, identifying, containing, eradicating, recovering, and conducting lessons learned to minimize the impact of future incidents.

The priority is to ensure your business can respond to security incidents effectively and efficiently.

b) Scope

The incident response plan (IRP) applies to all networks, systems, and data and impacts all internal and external stakeholders.

And so, your business will select employees to lead or participate with the incident response team.

They should familiarize themselves with the incident response plan (IRP) and be prepared to collaborate to minimize adverse impacts on your company.

Finally, an IRP assists your business with establishing incident handling and incident response capabilities and determines the appropriate response for common security incidents.

c) Event

An event is an observable occurrence in a system or network.

For example, events include when an employee connects to a file share, a server receives a request for a web page, or an employee sends an email.

d) Incident

An incident is an adverse event or the threat of the occurrence of an adverse event in an information system or network.

As a rule, an incident violates or threatens computer security policies, acceptable use policies, or standard security practices. It implies harm or the attempt to harm.

e) Severity Matrix

The incident response team has three main goals:

1 – Determine the severity of the security incident.

The team must consider whether single or multiple systems are affected.

Furthermore, they must determine if the situation is critical and whether it impacts single or multiple persons, the team, or the entire organization.

Lastly, the team will verify if single or multiple business areas are impacted.

It is also crucial at this stage to understand the relevant business context and what else is happening within the business at the time to assess the impacts and urgency of remediation.

2 – Consider the available information to determine the known magnitude of an impact compared with the estimated size, likelihood, and rapidness of spread.

The team must determine the potential impacts on the business, whether financial damage, brand and reputational damage or other harms. Similarly, the incident may be due to a sophisticated or unsophisticated threat, automated or manual attack, or could be nuisance/vandalism.

3 – Determine whether there is a vulnerability, exploit, evidence of an exploited vulnerability, or known patch.

Finally, the team will determine if this is a new threat (zero-day) or a known threat and the estimated effort to contain the problem.

5 – Wrap-Up

Technology evolves, and an organization’s IT landscape also changes with time. As such, the plans discussed today need to be updated and reviewed regularly.

Ensure the plans address any new risks. Your business will face changes and challenges impacting operations, so you must be aware and ready to pivot.

We know this is a lot of information and that you may have questions. Reach out to us today so that we can review and assess your business’ need for a business continuity plan (BCP), disaster recovery plan (DRP), and incident response plan (IRP). Arm yourself with these valuable tools to protect your business during a disaster or cyberattack!

Speaking of cyberattacks, we have some valuable resources as part of our Cybersecurity Toolkit you can access on our e-books page. Make sure you check it out and let us know how cyberready your business truly is! Of course, Clearbridge is here each step of the way, and we’re more than happy to guide you through the toolkit should you require assistance!

Our Products

Learn about ClearOne, our most comprehensive offering spanning all technology facets of your business.

Learn about IT Assurance, where we look after the technology systems you rely on every single day so that your people can focus on their work.