Business Continuity & Disaster Recovery Management (BDM)

Business Continuity and Disaster Recovery has gained increased importance over the last decade. Expanding security threats, on the one hand, and large scale disruptions due to natural calamities on the other the hand, pose serious challenges to the ability of businesses to continue their operations. Data Security Council of India (DSCI) recognizes that Continuity Management is one of the critical elements of organization’s security initiatives. Business Continuity and Disaster Management are two distinct but interdependent disciplines. The scope of the former expands beyond IT, whereas the latter is distinguished with IT. Business Continuity and Disaster Management (BDM) is an important area of DSF©.


The concepts around BDM are changing, providing directions for bringing maturity, asking to shift the focus from tactical to strategic, focusing on integrating silos, and prescribing a system approach for recovery approach. The technology and services ecosystem around continuity management and disaster recovery have also changed, thanks to advancement of technical solutions and emergence of different service offerings in this area. DSCI Best Practices have taken note of these changes along with conventional understanding of continuity management.


BDM function has been historically viewed as a tactical function. Predominantly attributed to IT Disaster recovery, it has been focused on the tactical response to a disaster. Drivers such as 24/7 service delivery, globalization and increasing operational risks are expanding the scope of continuity management beyond IT. Increased complexity of business transactions and their critical dependency on IT require strategic management of the BDM function. Strategic initiatives such as aligning the continuity operations to business priorities, creating resilient architecture, sourcing resources for recovery services, and operational excellence through automation of the planning process deliver high level of maturity in the BDM function.


Another problem with the BDM function is that it is considered as a project rather than an operational practice. Therefore, it lacks consistency in continuity operations. A specific attempt is required to operationalize continuity capabilities to ensure that BDM is an ongoing program and sufficient resources are available for all operational elements.

  • Business Alignment Strategy
    • Ensure that an inventory of business processes exists, and each business process is prioritized based on its sensitivity and criticality to overall business strategy
    • Develop a ‘dependency mapping of business processes’ with IT (Application,Infrastructure, Data, Messaging)
    • Develop ‘enterprise level recovery objectives’- define Recovery Time Objective-RTO, Recovery Point Objective- RPO and Service Delivery Objective- SDO for each business process
    • Create a map of BDM specific compliance requirements that an organization is exposed to
    • Ensure that Lines of Business (LOBs) are involved in, and are made accountable for business specific requirements of BDM
    • Ensure that significant visibility over dependency of business processes on the supply chain network exists, which helps develop a strategy for vendor management and rerouting arrangements
  • BDM Strategy
    • Create an ‘inventory of scenarios’ that could lead to disruption, identifying all possible threats. Incorporate the new-age threats such as terrorist attack and city outage into scenario building
    • Perform Business Impact Analysis for each business process and corresponding IT infrastructure to provide input on ‘enterprise recovery objectives’ and primitive business processes
    • Develop Disaster Recovery & Business Continuity strategy for all identified scenarios. Create a ‘scenario X recovery strategy’ map to have visibility and common understanding over the DR/BCP strategy
    • Develop a catalog of recovery services and ensure that sufficient resources and skills are arranged to manage BDM function, solutions, processes and services
    • Ensure reporting of BDM function to strategic layer of organization
    • Ensure coverage of BDM program is extended to all operational locations, all relevant departments like HR, Admin, Physical Security, and includes that of Lines of Business units too
  • BDM Organization
    • Define BDM oversight committee, which is represented by cross-functional departments like IT infrastructure, Application Development & Maintenance, Security, HR, Admin, and Facility Management
    • Ensure that a role is established for heading BDM function, who is reporting to CEO/COO, convening of the oversight committee, responsible for making of vision, tracking the implementation of BDM projects, operationalizing BDM capabilities and monitoring performance of BDM operations
    • Define BDM tactical and operational roles with clear responsibility structure
    • Define BDM specific responsibilities for Lines-of-Business (LOB) units
    • Define BDM specific responsibilities of support functions – Admin, Physical security, facility management
  • Continuity Plan
    • Make an inventory of all functions, elements, activities and processes that provides key resources to the continuity plan
    • Document the enterprise level business continuity plan that is based on the scenario based recovery strategy
    • Document each recovery process stating its relationship with all functions and departments involved and describe their dependencies on IT and other support elements
    • Support the continuity plan with documentation of IT infrastructure management and operational guidelines required for recovery of disrupted systems
    • Define responsibilities and process for configuration, change and testing of continuity plan
    • Establish a mechanism for reviewing execution and enforcement of the business continuity plan and for identifying the elements that need updating to incorporate changes in enterprise ecosystem and emerging threat landscape
    • Incorporate epidemic/pandemic planning as part of continuity planning
  • Technology for Business Resiliency
    • Ensure that all redundancy technology measures are derived out of a well defined ‘Availability Architecture’
    • Ensure that adequate level of redundant infrastructure measures are implemented atdata centers, networks, systems & servers, endpoints, messaging platforms and securityinfrastructure levels
    • Ensure that application is designed and deployed in a way to deliver resiliency ofbusiness operations and ensure faster recovery in case of disruption
    • Ensure that data architecture is planned to provide resiliency at data level against stressful IT operations or disaster events
    • Ensure that backup solutions and associated processes are in sync with ‘Enterprise Recovery Strategy’
    • Ensure that IT performance management, that deals with capacity management and system load testing, has a linkage with BDM and provides critical inputs to technical recovery strategy
    • Ensure that strategy is in place for recovery of security functions
    • Ensure that recovery strategy exists for all supporting technical elements and peripherals such as telecom, data links, printers etc.
  • Crisis Management
    • Ensure that arrangement is made to establish a Crisis Operation Center in case of disaster; and that it is entrusted with responsibility to manage and monitor the progress and response to all types of potential and actual business disruption events
    • Ensure that responsibility of coordination of crisis management activities lies with enterprise level function, which reports to the senior management of the organization
    • Ensure that all operational processes, functions and elements for crisis management are defined and sufficient resources exist or an arrangement is made to make them available in case of a disaster
    • Ensure that crisis communication mechanism, a set of norms and processes for the communication exists for all internal and external stakeholders
    • Ensure that a process is established for emergency notifications along with proper norms and accountability for it
    • Ensure that responsibility of coordination with local bodies is defined – coordination in case of a disaster is required with regional government bodies, law enforcement agencies and other public departments
  • Safety of Workforce
    • Ensure that emergency evacuation plan is prepared for all operational facilities, and communicated to employees
    • Establish plan and process of evacuation drill, covering all operational facilities. Conduct frequent and surprise drills
    • Ensure that emergency techniques are implemented for safety of human beings like alarm notification and release of access mechanism on disaster notification
  • BDM Operations
    • Maintain inventory of all operational elements of BDM and ensure that sufficient resources are available for each of them
    • Ensure that BDM program is managed as an ongoing program and treated as an operational practice rather than a project
    • Ensure that operational linkage is established between change management and BDM processes in order to provide inputs for refinement of the continuity plan
    • Ensure that measurable metrics are defined and implemented for measuring the performance of all BDM specific operational activities
    • Ensure that complete visibility exists over BDM program, processes, functions and activities, along with their performance state
    • Ensure that the knowledge generated out of the BDM program and continuity operations is managed effectively. This will strengthen recovery capability, and even provide key inputs to enterprise strategy
  • Complete visibility over BDM readiness
  • Alignment with business requirements, and involvement of business
  • Shift from tactical to strategic
  • Focus on integrating silos
  • Proactive approach- focus on prevention
  • Availability Architecture initiative
  • End-to-end service continuity
  • Scenario based planning
  • Continuity Plan – documented and actionable
  • Systematic recovery – Recovery Services Catalog
  • Focus on critical gap closure
  • Comprehensive resiliency testing
  • Operational practice rather than a project
  • Operational Excellence

Please allow pop-up in your internet browser to download DSF


DSCI Security Framework