Effective Approaches to Disaster Recovery and Business Continuation Planning
Disaster recovery and business continuation planning is never a priority project when there isn’t a disaster, but it quickly becomes the priority when bad things happen. It is also common for organizations to look toward IT and network managers to write these plans although, ultimately, disaster recovery is everybody’s business.
This article presents the key tenets of effective disaster recovery planning, and presents a step by step guide on how to approach, execute and maintain a DR responsibility in the face of other daily work demands.
IT and network professionals spend part of their time each day ensuring that data is backed up, viruses and intrusions arc fought, and data centers are secure. For this reason, it is no accident that they are frequently called upon by corporate management to lead the way in disaster recovery and business continuation planning.
However, they should know when they are engaged to lead this process, that there are pitfalls in corporate understanding that they have to dislodge as they put a plan together.
Last on the List
The first realization should be that no one else in the organization wants to put the DR and business continuation plan together. Disasters and continuing the business are always the last thing on everyone’s list, especially with so many ongoing and pressing daily priorities. In fact, disaster recovery never becomes a frontline concern until a disaster occurs, and then it is too late.
Understanding this, an IT professional needs to build the awareness of disaster recovery and business continuation planning within the organization by explaining the liabilities and the consequences of not having one. He also needs to let people know from the start that DR and business continuation planning is everybody’s business, not just IT’s, although restoration of computing resources is a critical factor in successfully restoring a business.
The technology role in DR and business continuation planning is sustenance of mission-critical daily operations, privacy of corporate and client information, and peace of mind for shareholders. Technology is an operational and strategic centerpiece because so much corporate activity is dependent on IT resources. However, there are also other areas of the corporate DR and business continuation planning that need to be addressed, such as employee safety and internal and external communications during a crisis.
From the start, work with executive management and managers throughout the business to impart the understanding of what technology can and cannot do in a DR and business continuation plan. Employee safety is typically spearheaded by Human Resources. Corporate communications is typically spearheaded by public relations and corporate executive management. NonIT operations should be spearheaded by business unit managers.
The sooner everyone understands that technology is not the entire part of the DR and business continuation plan the better, and the likelier that you will get the assistance you need from others and their areas of expertise so a comprehensive plan can be assembled.
Talk to Your Vendors
Today more than ever, companies are intermeshed with vendors who provide critical products and services. Network and data center managers cannot assure stakeholders inside and outside of the organization that there will be a smooth recovery from a disaster or a business interruption without making sure that key hardware, software and service vendors are on board.
The first step in assuring this is to make sure that a paragraph that specifically addresses disaster recovery and business interruption support is present in contracts negotiated for hardware, software and services. In this paragraph, specific metrics should be specified for time to response and levels of support during a time of disaster. This is the perfect opportunity to discuss DR and business continuation with a prospective vendor, and to ensure that the vendor has the will and the ability to support you in a crisis.
If existing contracts do not contain a disaster recovery provision, the recommendation is to contact vendors to explore the feasibility of amending contracts to include one. If a contract can’t be amended and you like the vendor, the approach would be to ensure that a disaster recovery provision is included the next time a new contract is negotiated.
Not every IT vendor needs a disaster recovery and business continuation provision written into a contract. Since disaster recovery and business continuation operations should only address the “bare bones” systems that are needed to conduct the business, systems that would be deemed as ancillary during a crisis (e.g., a decision support system) do not need to be included.
Develop a Test Plan
Once the disaster recovery and business continuation plan is written, it is critical to exercise the plan at least annually. This ensures that everyone involved understands their roles. The other benefit derived from regular testing is practical knowledge of what works and what doesn’t.
Since disaster recovery is never a priority until a company experiences a disaster, it is recommended that you choose several areas of the DR plan to test each year and that you rotate the areas to be tested on an annual basis. In this way, every area of the plan eventually gets tested out.
The second caveat is ensuring that everyone in the organization, not just IT, partakes in these tests. Communication to stakeholders and employees is critical during a disaster, as is rumor control. These functions are not central to IT, but can generate big problems if they are not done well. On the operational side, numerous functions may need to be performed manually if systems fail. Operations managers should take charge of these. The best way to check the adequacy of manual or backup procedures is in a test.
Tests should also involve key disaster recovery vendors such as hotsites, hardware repair response, etc. If budgetary dollars need to be set aside for vendor time, an appropriate funding should be planned for and made.
Finally, there should be “post mortem” review after each disaster recovery test. Invariably, some policies and procedures defined on paper do not always work in practice. These need to be identified and revised, based on what was learned from the test scenario. The results of these tests should be reported and reviewed with the highest levels of management and, if possible, with the board of directors, as all of these individuals have a responsibility to shareholders.
A Plan Is a Living Document
Like any other policy or procedure, a disaster recovery plan is a living document. One major challenge for IT, or for anyone else charged with responsibility for maintaining the plan, is keeping the plan current.
Annual testing is hugely beneficial for keeping revisions to plan on track, because adjustments can be readily made as a last step after the analysis of test results. Once changes are made, distribution of revisions and training based upon the changes to the plan should be systematically performed for those individuals throughout the company who are involved in the disaster recovery effort.
Companies often fall into the trap of writing a strong disaster recovery plan and then forgetting about it for several years. As a result, they end up redrafting a disaster recovery plan and losing many hours in the process. Critical appendices to the plan, such as your hardware and software inventory, your network schematic, and a current list of telephone numbers, should be routinely maintained any time a change is made.
The remaining plan content should be revised, pending the outcome of regular testing or the presentment of new corporate or outside conditions that warrant a change in disaster recovery thinking.
Other Things to Watch for
Over the past, the majority of IT effort in disaster recovery and business continuation was spent on restoring mission-critical systems linked to operations, customers and suppliers. Internal systems such as corporate e-mail were not considered priorities. However, the reliance on e-mail and other office communications today is so great that modern thinking has changed. Many organizations now identify corporate e-mail as a mission-critical system, especially when other common communications conduits, such as telephones and voicemail, might be “down.”
If a disaster recovery plan is a major project for you, and you don’t have the time or the staff to perform it, you might consider engaging a disaster recovery consultant to assist you in producing your first plan. A consultant can be engaged on a continual basis (e.g., periodic disaster recovery plan testing and revision), or you can work with a consultant for a turnover of the written DR plan to your staff once the plan is complete.
Disaster recovery instructions should be simple and straightforward. A disaster places enormous pressure on those encountering it. Under this level of stress, it is easy to make mistakes.
If you are charged with a leadership role in disaster recovery planning and execution, people will be looking to you for emotional support and strength of execution during the disaster. A strong DR plan is one of your most valuable assets.
Mary Shacklett is a regular contributor to Enterprise Networks & Servers and president of Transworld Data, a marketing and technology firm based in Olympia, Wash., One of the services Mary provides is development and assistance in disaster recovery planning and execution. Mary may be contacted at TWD_Transworld@msn.com or 360-956-9536.
Copyright Publications & Communications, Inc. Jul 2004
Provided by ProQuest Information and Learning Company. All rights Reserved