In the wake of disaster from Hurricane Sandy, more time and funding will most likely be given to continuity planning for 2013.

As every company surveys its risk during these final months of the year, organizations are making several costly mistakes when crafting a business continuity and disaster recovery plan. These myths can hinder the development and implementation of successful BC/DR planning.

Following are the biggest myths organizations should bust when creating (or failing to create) BC/DR plans:

• BC and DR are the same thing. A lot of SMBs are having IT develop duplicate systems in external data centers and believe this to be sufficient. What is the benefit of having a secondary order entry system when you have no way to take orders? To simplify, BC planning encompasses the development of all policies and processes that allow the company to continue its core business functions as well as provide its products and services. DR is a component of the BCP, defining those policies and processes necessary to support the company during a disaster or emergency.
• A loss won’t happen to me. Companies simply fail to consider the possibility of a loss or the existence of risks, which could significantly impact business. These companies fail to develop a BCP or DRP and instead implement legacy backup or locally clustered solutions believing this level of fault tolerance is sufficient. Development of a BCP to include a DRP must begin with the support of the executive management. Initial steps to ease their development include creating a complete inventory of all business departments, the processes they perform and the equipment of systems needed to perform those processes. This inventory provides the basis for the plans, documentation for the risk assessments and the criteria for the impact analysis.
• Having a secondary IT facility is enough. When companies develop their IT DRP they assume that all of the systems and devices must be replicated and that the entire environment should be tackled all at once. However, it is more important to perform a risk assessment and business impact analysis to determine the assets, which if they became unavailable would impact the company the most. These are the assets that should be considered when reviewing the need for secondary facilities and devices. Nevertheless, even these should be closely reviewed to determine the best and most cost effective protection. Depending on the type of loss and length of time a system can be down without major impact, there can be multiple options for DR. Simply developing a replica of the business environment can be costly and unnecessary.

Take a few minutes to survey your BC/DR plans. Have you made one of these assumptions today?

-Jerry Irvine