Traditionally and historically, disaster recovery and business continuity programs focus on the aftermath of a disaster and strategies and solutions for getting critical business processes and the technology that supports them up and running in a timeframe necessary to keep the organization solvent.
But, I wonder, do we do enough planning and provisioning to prevent the disasters and their impacts in the first place? The traditional business continuity planning methodology does include conducting a Risk Analysis to identify threats that could result in a business interruption event. But, often, this information is simply used to justify the need for creating disaster recovery and business continuity plans and solutions. Do we, as business continuity planning professionals, spend enough effort on disaster prevention planning and risk mitigation?
Perhaps, that is not our jobs – but, then, who does this?
Now, I am usually the first to say that it doesn’t matter what you do to prevent disasters or protect your facilities, there is always the chance, as small as it might be, that the business will be interrupted and you will require contingencies – but, that doesn’t mean you should not try to prevent disasters and harden your facilities. The challenge is, getting the right balance between the two, including deciding the best way to allocate limited resources to the planning effort and implemented solutions.
This FEMA web page offers a number of links to resources and articles that can help you identify risks and implement prevention and protection techniques. I think it is worth your time in reviewing this material.
Again, I don’t think any of this is justification to not create disaster recovery and business continuity plans, I just think it wouldn’t be a bad idea for the business continuity planning professional to also become the disaster prevention planning professional as well.