Who should be responsible for Disaster Recovery Planning?

Many organizations consider Disaster Recovery Planning an Information Technology Strategy and place the responsibility for it in the hands of the CIO, who in turns holds IT Infrastructure Management accountable for Disaster Recovery Planning.  I propose to you that you need much more than a Disaster Recovery Plan (DRP) to fully protect your business and ensure that you will stay in business following a major disaster.  I further propose that responsibility for DRP is misplaced.

Many organizations use different terminology in this area, often interchangeably and incorrectly.  A Business Contingency Plan is made up of three parts, Incident Response Plan (ISP), Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP).  Also, businesses often put the responsibility for all these plans onto the IT department.  Business Contingency involves the entire organization, not just IT; therefore the responsibility for Business Contingency planning falls to the CEO and everyone under him or her, not the CIO.  Just as there are three different plans, with three different objectives, there should be three different teams responsible for these plans; with some overlap of personnel.

The ISP handles all small time-frame technical issues that may, or may not, involve the entire company.  These would be IT infrastructure failures, hacker attacks or viruses.  These would be handled by the IT infrastructure team and fall under the direction of the CIO.

The BCP is concerned with keeping the business running during a disaster, natural or man-made.   This involves relocating the business if necessary for temporary operation for as long as necessary in response to normal facilities being uninhabitable.  The BCP can also be initiated if an IT infrastructure failure goes beyond a pre-determined time threshold.  As this deals with business operations, this falls under the direction of someone with COO authority.

The DRP is often initiated with, or shortly after, the BCP and deals with getting the business back to normal operations.  This is getting the normal facility back into operational status, or if completely loss, obtaining new facilities for the company.  As this is largely a financial matter, this falls under the direction of someone with CFO authority.

This does not mean that IT will not be involved with the BCP or DRP.  On the contrary, each plan needs a cross-business team to develop, maintain and test the plan.  IT and business unit members will serve on each team.  Testing of the plans, at times, should involve the entire organization.  Just as you run fire and tornado drills to protect your people, business contingency plans should be tested to protect the resiliency of the business.   

Some members of these three teams will make up the Business Contingency Team, which is directed by the CEO.  Part of business contingency planning is mitigating the risk of a disaster hitting the company, or mitigating the effect of the disaster on the company.  Each of these plans should identify types of, evaluate the probability of and formulate risk mitigation for disasters.

So to ensure that your organization is ready to respond in the event of a disaster and to ensure that you will stay in business following even the most severe of disasters, you need a fully integrated Business Contingency Plan, not just a Disaster Recovery Plan.  This plan should be part of the company culture; everyone should know of them and know their responsibility when one of the plans is activated.  Business Contingency Planning is not an IT Solution; it is a business preparedness solution.