In previous posts, we examined understanding the business, the relationship between event response and recovery efforts, and how to build an incident response plan.\u00a0 The natural next step after initial response is the interim and permanent recovery of critical systems.\u00a0 However, before drilling into the mechanics of creating and managing a business continuity plan for recovery, I\u2019d like to step back and take a quick look at creating the controlling strategic framework upon which catastrophe response and recovery activities are based.ApproachHaving a management-approved business continuity strategy in place provides guidance relative to the requirements of initial response, what to recover, and to what extent it should be recovered.\u00a0 Many organizations plan to recover everything, a recovery strategy doomed to fail in large organizations.\u00a0 Building a strategy begins with understanding the business.\u00a0 Only with a thorough knowledge of what processes cannot be down for even a short period can you build an effective recovery plan.\u00a0 Armed with operations management approval of these processes, and an understanding of the underlying technology, you can make an informed decision about what to temporarily recover at a recovery site.\u00a0 The approach I recommend is to: Work with business managers to identify critical processes.\u00a0 Critical processes are those identified during the understand-the-business phase and ranked high when performing business impact analysis (BIA). Using the results of the BIA, and the time necessary to identify and prepare a permanent recovery site, identify those processes which must be part of the interim recovery activities (e.g., hot site). Work with business managers and key employees to identify technology requirements and possible manual workarounds. Document the results of Item 3 in a business recovery plan. Cycle through this process at least annually. ConsiderationsAgain, not all processes can be recovered.\u00a0 This includes some critical outcome activities.\u00a0\u00a0 However, business continuity teams must provide accurate information to management to ensure the right decisions can be made as to whether to accept or mitigate the resulting risk.\u00a0 According to BS 25999-1:2006 (Business continuity management code of practice, p. 21), managers should consider three things when assessing whether a process should be recovered and when: The maximum tolerable period of disruption of the critical process The costs of implementing a strategy or strategies for recovery or mitigation The consequence of inaction [defined in the BIA] There are also logistics considerations when building a strategy.\u00a0 It cannot be built in isolation.\u00a0 What is and is not possible must be considered.\u00a0 A strategy built on unachievable assumptions results in incident response and recovery plans with little or no chance of success.\u00a0 Logistical considerations include: Availability of key personnel.\u00a0 If a recovery site is out of town, how will employees reach the site?\u00a0 If a catastrophe encompasses a large geographic region, will employees even be available? Premises.\u00a0 Considering the list of critical processes, supporting technology, and manual workarounds, what are the office or data center requirements, including: Space Power Cabling Connection to the Internet Direct connections to outside businesses\/customers Forms Office equipment IT infrastructure.\u00a0 Entering into a contract for a warm or hot site requires considering what infrastructure is needed.\u00a0 The cost of the contract increases with increases in infrastructure requirements.\u00a0 When determining requirements, recovery teams must not only consider operational equipment.\u00a0 They must also consider what equipment is initially necessary to concurrently recover critical systems, if necessary.\u00a0 There are additional considerations, but working through these provides answers about what type of recovery, if any at all, is feasible.The final wordWhether a strategy is needed for smaller events (i.e., server failure, loss of key personnel) is up to management.\u00a0 However, a strategy is necessary before planning for events resulting in loss of most or all data center capabilities.