Question

Can you help with the Core concepts of the continuity plan and its interrelation? See instructions. Thank you in advance.

Please add a short introduction and conclusion based on the subject.

Core Concepts of the Continuity plan and its Interrelation Please, analyze the concepts to answer the following questions. Define and describe the relationship or interdependencies between the concepts. 1) What is the relationship between a BIA and a BCP? Explains the relevance of Business Impact Analysis (BIA) in the Business Continuity Plan (BCP). 2) What relationship exists between Maximum Tolerable Downtime (MTD) and Recovery Time Objective (RTO) within a Business Continuity Plan (BCP)? 3) Can a Recovery Time Objective (RTO) be greater than the Maximum Tolerable Downtime (MTD)? Explain. 4) Is the Recovery Point Objective (RPO) in a Business Continuity Plan (BCP) related to time or data? 5) Explain the relationship between a Disaster Recovery Planning (DRP) and a Business Continuity Plan (BCP).

Answer 1

1ANS-

Business impact analyses are sets of data that form the foundation of a strong business continuity plan. These sets of information concern various effects and setbacks that might affect different business processes. As the name suggests, performing a business impact analysis serves to assess what type of impact a particular issue will have on a one of your business processes.

Now, does your credit union need a business impact analysis? In short, yes. The BIA is the cornerstone of all of your credit union’s planning. The data you receive from it allows you to better understand exactly how long the specific system or process will be affected and what effect that will have on any related or interconnected systems. A comprehensive evaluation of threats--and what impact those threats might have--is the key to building an efficient pathway back to peak productivity.

Your credit union might be impacted in several ways, so it’s best to gauge repercussions over several areas. Try to ask questions about different areas.

• How will a disaster impact members?
• How will it impact facilities?
• How might it affect operations?
• Will this increase our exposure to fraud?
• Is IT able to recover quickly?

Speaking of recovery, recovery time is one of the most important things to be aware of when estimating business impact. Often, it may be easy to look at one aspect of recovery and then apply that specific recovery time to everything else that relies on it. For example, if the server is down, maybe you can get the server back up quickly. However, just because the server is back up doesn’t mean that the entire system is back online and ready to serve members, or that the staff is prepared. A reasonable recovery time objective has a broader valence: it encompasses one particular business function recovering all aspects of that business function.

As with all things related to business continuity, business impact planning is always better when it’s tested. If you’ve ever cooked a meal, you’ll know that best results come from persistent testing of the recipe. You don’t want to over-salt, nor under-season, or leave something on the burner too long. Even tried-and-true recipes benefit from a little tweaking here and there to better fit the palates of the diners. If you wait until you serve the food to sample it, you may find that not everything tastes as you’d expect and it may not be to your liking. Similarly, with business impact planning, your credit union will be well served to test impact and recovery as you go. If you expect a certain impact and recovery to take four hours, run a test to see how long it really takes. If you can’t hit that four hour time, not only will you gain valuable insight as to what all you need to take into account in recovery, but you can also adjust your practices to reach your desired recovery timetable.

Business impact analysis is extremely valuable for any credit union looking to best serve their members in any emergency event. By accurately profiling what effect various problems might have, you’ll get a clearer picture and build a better plan for recovery.

2ANS-The first phase of the Maximum Tolerable Downtime (MTD) is the recovery time objective. This is the timeframe during which systems are assessed, repaired, replaced, and reconfigured. The RTO ends when systems are back online and data is recovered to the last good backup. The second phase of the MTD then begins.

Maximum Tolerable Downtime (MTD)

This is just as it sounds -- the maximum time a business can tolerate the absence or unavailability of a particular business function. (Note: The BCI in the UK uses the phrase Maximum Tolerable Outage (MTO) instead.) Different business functions will have different MTDs. If a business function is categorized as mission-critical, or Category 1, it will likely have the shortest MTD. There is a correlation between the criticality of a business function and its maximum downtime. The higher the criticality, the shorter the maximum tolerable downtime is likely to be. Downtime consists of two elements, the systems recovery time and the work recovery time. Therefore, MTD = RTO + WRT.

Recovery Time Objective (RTO)

The time available to recover disrupted systems and resources. It is typically one segment of the MTD. For example, if a critical business process has a three-day MTD, the RTO might be one day (Day 1). This is the time you will have to get systems back up and running. The remaining two days will be used for work recovery .

3ANS-

RPO simply means how much data one can afford to lose and hence re-create them. Basis the impact the loss can have on your ability to resume services, you analyze and decide your back-up and DR strategy. If you can't afford the back-up and DR strategy, then you revisit your take on the impact to your business.

Now let’s look at RTO. From a definition point of view, it’s the amount of time you can afford to wait before from the time of disruption or disaster till you resume your services. Here come the SLAs & QoS. Your service may have different grades for different customers and so on. For an existing customer, you should have access to data about the customer. For a new customer, you may be fine as long as you are able to enroll him/her.

For some, servicing existing customers may be more important than acquiring new ones in times of disruption. Therefore, the RTO would be different for each of the two customers in our assumption.

Accordingly, RPOs would differ. In this example, RPO needs to be achieved first and hence it needs to be lesser than the RTO relatively. Don't confuse this with a short RPO, which means a very low tolerance to data loss.

So, there can be scenarios, where you may be able to resume some services before data could be restored or you may not until data are either partially or fully restored. Therefore, it would be very important to understand the impact to your business, dependencies of your services provided and your appetite for impact.

The lower the appetite, the higher will be your investment in BCP and DR.

So, RPO and RTO are related in the way your define them in light of the services you provide, service dependencies, SLAs and the impact to the business.

Acronyms Used:

RPO - Recovery Point Objective

RTO - Recovery Time Objective

BCP - Business Continuity Planning

DR - Disaster Recovery

SLA - Service Level Agreement

QoS – Quality of Service

4ANS-

Recovery point objectives refer to your company’s loss tolerance: the amount of data that can be lost before significant harm to the business occurs. The objective is expressed as a time measurement from the loss event to the most recent preceding backup.

If you back up all or most of your data in regularly scheduled 24-hour increments, then in the worst-case scenario you will lose 24 hours’ worth of data. For some applications this is acceptable. For others it is absolutely not.

For example, if you have a 4-hour RPO for an application then you will have a maximum 4-hour gap between backup and data loss. Having a 4-hour RPO does not necessarily mean you will lose 4 hours’ worth of data. Should a word processing application go down at midnight and come up by 1:15 am, you might not have much (or any) data to lose. But if a busy application goes down at 10 am and isn’t restored until 2:00 pm, you will potentially lose 4 hours’ worth of highly valuable, perhaps irreplaceable data. In this case, arrange for more frequent backup that will let you hit your application-specific RPO.

Depending on application priority, individual RPOs typically range from 24 hours, to 12, to 8, to 4; down to near-zero measured in seconds. 8-hour-plus RPOs might be able to take advantage of your existing backup solution as long as it has a minimum impact on your production systems. 4-hour RPOs will need scheduled snapshot replication, and near-zero RPOs will require continuous replication. In cases where both the RPO and RTO are near-zero, combine continuous replication with failover services for near-100% application and data availability.

5ANS-

Business Continuity Planning and Disaster Recovery Planning are two sides of the same coin. Each springs into action when a disaster strikes. The difference between BCP and DRP can be expressed in the following two statements:

• BCP: Business Continuity Planning is concerned with keeping business operations running - perhaps in another location or by using different tools and processes - after a disaster has struck.

• DRP: Disaster Recovery Planning is concerned with restoring normal business operations after the disaster takes place.

Here’s the scenario: The business in question is a delivery service with one delivery truck that delivers goods around the city.

Business Continuity Planning is concerned with keeping the delivery service running in case something happens to the truck, presumably with a backup truck, substitute drivers, maps to get around traffic jams, and other contingencies that can keep the delivery function running.

Disaster Recovery Planning, on the other hand, is concerned with fixing the original delivery truck. This might involve making repairs or even buying/leasing a new truck.

While the Business Continuity team is busy keeping business operations running via one of possibly several contingency plans, the Disaster Recovery team members are busy restoring the original facilities and equipment so that they can resume normal operations.

Here’s an analogy. Two boys kick a big anthill - a disaster for the ant colony. Some of the ants will scramble to save the eggs and the food supply; that’s ant city continuity. Other ants will work on rebuilding the anthill; that’s ant city disaster recovery. Both teams are concerned with the anthill’s survival, but each team has its own role to play.

BCP and DRP projects have these common elements:

• Identification of critical business functions via the Business Impact Assessment and Vulnerability Assessment

• Identification of possible disaster scenarios

• Experts who understand the organization’s critical business processes

This is where the similarities end. The BCP project diverges on continuing business operations whereas the DRP is recovering the original business functions. While both are concerned with the long-term survival of the business, they are different activities.

##That is all about your answer.........please upvote my answer.........please.............