Michael Hickins | Content Strategist | May 16, 2024
Business continuity brings together people and technology to help organizations prepare for and overcome interruptions to normal business operations. Business continuity planning encompasses disaster recovery—the restoration of IT services following an unexpected outage—but its purpose is broader. The goal of a business continuity strategy is to keep the business up and running regardless of whether operations are impacted by an unplanned catastrophe, such as an earthquake, or a planned event, such as applying a major infrastructure patch.
Business leaders use business continuity as a paradigm for maintaining operations, even if in a temporarily limited capacity, in the event of unexpected or planned disruptions to normal business processes. These disruptions can include natural disasters, cyberattacks, armed conflict or other force majeure, global pandemics, power outages due to storms or flooding, infrastructure failures, planned maintenance activities, and even the unexpected departure of a key employee. Cloud computing technologies such as containerization and virtualization can help make business continuity measures more affordable for companies of all sizes.
Key Takeaways
Businesses typically adopt strategies to thwart existential threats such as established competitors, market entrants, sudden changes in customer behavior or tastes, and technological change.
However, another threat that’s more difficult to plan for is an unexpected, usually temporary event that makes it difficult or impossible for the business to continue operating as usual. Natural events such as hurricanes and prolonged heat waves can result in a loss of the electric power used to run facilities or critical IT services. Criminal entities or nation-states can interrupt IT operations or hold data for ransom. Other types of events, such as the unexpected death or departure of key personnel, supply chain disruptions due to war or labor strikes, and consumer boycotts, are equally difficult to plan for.
Successful companies therefore develop business continuity plans to provide a template for how managers and other employees should react should such extraordinary events occur.
On the flip side, companies that don’t have business continuity plans face significant peril. Even accounting for variables such as the industry, company size, and business type, downtime of an organization’s online presence alone can cost it between US$2,300 and US$9,000 per minute—and that doesn’t account for the cost of damage to its reputation and business relationships.
Most businesses can withstand slowing or halting their business activities for a short period of time, although banks, utilities, healthcare providers, and companies in some other industries aren’t afforded this luxury and must follow statutory requirements and ensure they can resume normal operations almost immediately following a disruption.
In most cases, irrespective of regulatory requirements, businesses can ill afford a prolonged disruption to their activities because even the most patient customers will eventually find alternative vendors. In fact, an extended downtime event at a competitor can present an opportunity for others in the sector to gain market share.
When planning for business continuity, organizations should also consider partners, vendors, and sensitive supply chains, where outages could have irreparable cascading downstream effects.
In its simplest terms, business continuity is the idea that an organization will continue operations in spite of disasters, events, nefarious acts, or other calamities that temporarily interrupt the ordinary course of business. It includes the following:
At its most basic, a business continuity plan (BCP) is the simple acknowledgement by leadership that unforeseen disruptive events, often outside the organization’s control, will inevitably occur and that they should take steps to ensure the company will be able to continue doing business, even if in a limited capacity for a short period of time.
A BCP must include the disaster recovery (DR) plan, which, as its name suggests, is a framework for recovering systems and, most importantly, data after an unexpected outage. Events that can cause such an outage include hurricanes or tornadoes that knock out power or make travel to corporate offices impossible, armed conflicts that disrupt supply chains, cyberattacks that render systems inoperable, and global pandemics that force people to work from home. But the most common cause of disaster is human error, such as an employee unwittingly falling for a phishing scam or a database administrator who doesn’t get around to applying a software patch until after the system is compromised.
And while it’s true that future events are impossible to predict, failing to prepare for them would be foolhardy—and against laws and regulations governing many industries. As Dwight D. Eisenhower, the former US president and supreme allied commander in Europe during World War II, noted: “Plans are worthless, but planning is everything.”
In other words, unexpected events can make the details of many plans irrelevant or anachronistic, but the very process of planning helps ready an organization for whatever may come next. Eisenhower also said of planning: “If you haven’t been planning you can’t start to work, intelligently at least.”
Still, DR is integral to but not the only key component of an effective BCP. A comprehensive BCP should include the following elements:
Business continuity planning is essential to the survival of an organization in the event of a natural disaster or other disruption to the normal course of business. Indeed, about 25% of businesses don’t reopen after disasters, according to the US Federal Emergency Management Agency. Businesses should take the following steps to build an effective BCP:
Finally, experts advise making recovery operations as automated as possible, allowing stakeholders and workers to focus on the overall business continuity plan. One example is using failover systems that automatically switch to backup servers or networks if the primary ones fail. Automation increases the chances of a positive, predictable outcome.
Business continuity plans are only as good as the habits of the people who use them. While predicting an actual disaster is near impossible, it’s entirely possible to simulate a disruptive event so staff can practice the actions they’ll likely have to perform. Before any testing can occur, stakeholders need to have seen and assimilated the BCP.
Tests should evaluate key elements of the plan, including reaction times to power outages and IT failures, the viability of both internal and external communications systems, and alert and activation procedures for key personnel.
Testing not only familiarizes people with their responsibilities in the event of a disruption, but it also helps identify plan gaps or flaws so they can be addressed before an actual emergency.
Best practices for this type of testing include the following:
BCMs should conduct tests at least annually and establish a format for stakeholders to share and review the results.
Business continuity plans in certain industries—notably financial services, utilities, and healthcare—are subject to local, national, and/or international standards. In fact, more than 120 business continuity management regulations apply to a variety of industries, according to DRI International, a nonprofit disaster recovery consultancy. These include Security and Exchange Commission, Financial Industry Regulatory Authority, and Sarbanes-Oxley regulations in the United States as well as the BASEL III international regulatory framework for banks and the International Organization for Standardization’s ISO 22301.
Other business continuity standards include the National Institute of Standards and Technology’s SP 800-34 and 24762 and the US National Fire Protection Association’s NFPA 1600 standard for continuity, emergency, and crisis management. More general business continuity regulations include the EU’s General Data Protection Regulation, which, because it governs the storage and dissemination of data, is also relevant to business continuity.
Business continuity and disaster recovery are closely related. Both are organizational plans for surviving and quickly recovering from a potentially catastrophic business disruption, and both are also closely linked to IT, given businesses’ reliance on IT infrastructure and applications.
To cite just one example of how dependent all businesses have become on IT, most professional sports venues in the United States no longer accept cash payments, meaning that computerized point-of-sale systems need to be operational for them to sell food, beverages, gear, and other goods.
ISO 22301 defines business continuity as “documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operations following disruption.” Disaster recovery is a subset of business continuity that involves restoring IT services, incrementally if necessary. A key way that business continuity differs from DR is that business continuity accounts for all business interruptions, including those that are planned.
Business continuity is contingent on a wide variety of factors, including the industry in which an organization operates and the nature of the disruption itself. But in the Information Age, almost all business continuity depends on some level of IT functionality. It’s therefore crucial for companies to make certain that they have appropriate levels of redundant infrastructure and data replication in place, not just to support the ordinary course of business but also to ensure the business can operate efficiently enough during a disruptive event.
The shorter the RTOs and RPOs, the better for continuity. However, the cost of achieving any RTO or RPO goes up as each objective becomes shorter. Architectural choices can help. Business leaders should consider using cloud computing and, optimally, containers to further isolate critical data from systems that have been disrupted. They should also look for cloud service providers with geographically disparate failover facilities.
One of the advantages of cloud computing from a business continuity perspective is what’s called “pilot light deployments,” where secondary sites or copies of corporate workloads can be as small as a single virtual machine (VM) or container. In the case of a failover, that single VM or container can, if needed, kick off an automated process that lets your organization spin up the rest of the infrastructure. And by using a pilot light deployment, organizations need only pay for that single resource rather than replicating an entire system.
Another strategy is the so-called “blue-green” architecture, where instead of having four to six redundant environments for development and testing and a separate one for production deployment, an organization deploys only two redundant, distributed environments. Let’s say the “blue” environment is production and the “green” is development and testing. When development is completed, the “green” environment becomes the primary production environment, and the “blue” environment is used for development, testing, and disaster recovery. This cycle then repeats itself.
Oracle makes it simpler and more affordable to develop a holistic business continuity plan. Because Oracle Cloud Infrastructure (OCI) was developed later than other hyperscale clouds, it was built for better efficiency and reliability, lower latency, and superior flexibility compared with competing clouds. In addition to containers, OCI has flexible virtual machines, which means businesses can buy only as much compute power as they need. Other providers offer less flexibility, requiring customers to overprovision their instances, costing them more money. OCI has multiple geographically separated cloud regions in many countries, enabling customers to remain compliant with data sovereignty regulations while still having disparate locations for the purposes of business continuity.
Based on decades of development experience and real-world customer feedback, Oracle has developed best practices called Oracle Maximum Availability Architecture (MAA). Oracle MAA provides the blueprint for implementing high availability, scalability, disaster recovery, and data protection solutions in Oracle Database environments.
The Oracle MAA best practices, maintained by a team of Oracle developers, continually validate the integrated use of Oracle Database High Availability features such as Oracle Real Application Clusters and Oracle Data Guard using chaos engineering techniques and other testing methodologies.
Oracle MAA is further extended with the Oracle Cloud Infrastructure Full Stack Disaster Recovery service. OCI Full Stack Disaster Recovery orchestrates the transition of compute, databases, and applications between OCI regions from around the globe with a single click. Customers can automate the steps needed to recover one or more business systems without redesigning or re-architecting existing infrastructure, databases, or applications and without needing specialized management or conversion servers.
Moreover, Oracle Autonomous Database and Oracle Exadata Database Service have redundancy built in, which means customers don’t pay extra for data replication within the same availability zone.
The expectations for business continuity have changed as the technology landscape has evolved. For example, most businesses used to think about RTOs in terms of so-called tier 1 applications, but less expensive cloud computing options, such as pilot lights, mean that organizations can afford to create business continuity plans for all their applications.
Cloud is key to a successful—and affordable—business continuity strategy. Learn why.
What are the 4 pillars of business continuity?
At its most basic, business continuity consists of assembling a team focused on business continuity, assessing which areas of the business are most at risk during a disruptive event, creating a plan for maintaining operations at minimally viable levels, and then rehearsing and testing that plan on a regular basis.
What’s the difference between business continuity and disaster recovery?
Business continuity is an organizational approach to ensuring that an organization can continue operating in some capacity through any disruption, planned or not, while disaster recovery focuses on bringing IT systems back up.
Why is having a BCP important?
Organizations that don’t have updated business continuity plans are at greater risk than those that do. At worst, they may permanently go out of business due to a significant unexpected disruption to normal operations that drives customers to competitors, loses data, and proves expensive to fix.