Contingency Planning Explained: Risk, Incident Response, Disaster Recovery, and Business Continuity Plans

Risk planning, incident response planning, disaster recovery planning, and business continuity planning will be discussed here. An extra emphasis will be placed on the distinctions among the plans. A brief overview will be given followed by an outline used to facilitate the visualization of all the separate pieces and keep the focus on dissimilarity.

This is a big topic with discrete parts. The problem is that most people tend to lump all of the parts into one big confused mess. Hopefully this will clear things up a bit.

Believe it or not, there is a process to contingency planning. It all starts with risk identification. This can be done via vulnerability assessments or penetration tests and threat assessments. Once risks are identified they are assessed and classified. This will determine how probable and devastating the risk might be; it also identifies the risk as a physical, technical, natural, or person risk. Ranking risks helps ensure that the most resources go to the most prominent risks.

Incident response planning is the next step. Incident response plans assume that a threat will be realized. One plan should be made for each threat that does not constitute a disaster to the business. It’s best to plan for the process of mitigation, response, and recovery using the before, during, and after approach. The before plan lists steps taken to mitigate and prepare for an incident; the during plan lists steps taken to absolve the threat; the after plan lists steps taken to recover after the threat has been handled. Incident response plans focus on the threats that will not jeopardize business operations.

Disaster recovery plans are similar to incident response plans, except that they do focus on the threats that devastate business operations. These also include things like fire and natural causes. Incidents can escalate to disasters if the business impact is great enough. These, too, are best addressed in the context of before, during, and after.

For every disaster plan, there should be a business continuity plan. Business continuity plans are plans to keep the company operating (generating revenue) in light of a disaster. Whereas disaster recovery plans focus on fixing what broke, business continuity plans focus on maintaining business operability while the fixes are made. Redundancies play a large role in business continuity planning. Having a hot, warm, or cold site is a common approach to achieving redundancy.

The outline is numbered to indicate parent/child relationships between the various plans so it is obvious which plans need to occur first and how they are triggered or escalated:

1. Risk identification
– vulnerability assessment
– penetration test
– threat assessment
2. Risk assessment and classification
– risk ranking
– business impact analysis
– mitigation costs
– recovery costs
4. Incident response planning
– non-devastating threats
– mitigate, respond, recover
5. Disaster recovery planning
– devastating threats
– mitigate, respond, recover
6. Business continuity planning
– keep operations running during disaster response and recovery