EFFECTIVE DISASTER RECOVERY & BUSINESS CONTINUITY

Best Practices


If I had to distill the best practices of an effective DR and BC program, it would boil down to a short list of four concepts. Each concept directs you to pursue a course of action that contributes to a successful Disaster Recovery (DR) & Business Continuity (BC) program.

These four concepts are:

• Work out a realistic vision of your organization’s survival objectives and develop your plan based on it. The key word is “realistic.” You need to know your organization's objectives are realistic because your plans need management's support.

• Review and regularly refine your plans. Be proactive. Your DR and BC plans are meant to be living documents. They’re useless if they sit on the shelf. Review the plan internally as well as through the eyes of experts. Unearth shortcomings. Cover the gaps. America’s leaders don’t think it’s a question of “if” but rather a question of “when” before terrorism strikes at our heartland again.

• Anticipate and adjust to your environment. Continuously. There are “big” changes like new regulations and new technologies and “small” changes like employee turnover and new phone numbers. Big or small, these changes must find their way into your plans.

• Practice for the real thing. There’s no substitute for going through the exercise. It’s probably not possible to exercise all or even most of the plan but that shouldn’t stop you from doing parts at a time. Seek senior-level sponsorship especially for this next piece. Exercise your plan with as little advance notice as possible. Disasters don’t usually announce themselves—they just happen, don’t they? Practice benefits you an important way. It exposes your plan’s flaws. Most of the time, you’ll find it’s the people that “betrays” you. Their apparent apathy is behind their lack of preparation. This reminds me of a fire drill years ago at our office on the umpteenth floor of a high-rise. Nobody took the drills seriously—even the “old-timers”—until building management hired a retired fire chief to conduct the drill. In gruff tones and with piercing eyes, he told us how quickly the flames would spread and why we would probably not burn to death. The smoke, he growled, would kill us first.

There you have it. Four common sense concepts:

1. Identify and fill in a realistic vision of your organization’s survival objectives. What are the goals and what will it take to achieve them?
2. Review and regularly refine your plans. Don’t wait for a disruptive event to update your plan. Be proactive.
3. Anticipate and adjust to your environment. Ensure senior management is involved. BC and DR are not IT concerns. They’re business concerns. IT just happens to be the one tasked with the program.
4. Practice for the real thing. Flush out your deficiencies. You can bet there’ll be many. Hire a fire chief and then begin a regular disaster awareness and training program.

Good luck!

BUSINESS CONTINUITY PLANNING

Planning takes four steps

It took a while but business continuity planning (BCP) has finally become visible on the radar screen of managers and owners of smaller businesses (< $100 million sales). It’s about time too. The state of the world today is far more volatile than it was a mere eight years ago. Nine 11 did change everything.

Every organization should plan for its continued existence in the event of a major disruption. How will it continue to operate if its operation—and existence—is disrupted by any number of natural or man-made disasters?

The practice of Business Continuity Planning (BCP) has evolved into a recognized field. Job titles that carry or imply this area now exist. Practitioners can join any number of reputable associations that promote this field. Several recognized certifications can now be earned as well.

I had the good fortune of working as a Sales Systems Engineer for the world’s largest enterprise storage vendor just before the dot com crash. I’m referring to EMC, the 800-pound gorilla of the enterprise storage space. At that time, the basic rationale behind EMC’s fabulously expensive SRDF (Symmetrix Remote Data Facility) was real-time replication for disaster recovery (DR). Under the proper guidance, it can be a short leap from DR to BCP. And that is where SRDF is now positioned—as the lynchpin of the data side of business continuity planning.

The mission of a Systems Engineer who works in Sales is to support his sales reps by designing the storage and DR solutions for customers and prospects alike. To him fell the task of dealing with the technical aspect of any proposal or project. This frequently involved making technical presentations for prospects and serving as the single point-of-contact for existing customers that were contemplating system upgrades.

Disaster recovery (DR) is a subset of the BC solution. Many fine definitions of the term abound so rather than reinvent the wheel, I will quote some of the better ones. Disaster recovery is:

• the process, policies and procedures of restoring operations that are critical to the resumption of business [Wikipedia].
• the ability of an organization to respond to a disaster or an interruption in services by implementing a disaster recovery plan to stabilize and restore the organization’s critical functions. [Disaster Recovery Journal].

Wikipedia goes on to say that…

• a disaster recovery plan (DRP) should include plans for coping with the unexpected or sudden loss of communications and/or key personnel, although these are not covered in this article, the focus of which is data protection. Disaster recovery planning is part of a larger process known as business continuity planning (BCP).

Disaster Recovery Journal continues as well…

• The management approved document that defines the resources, actions, tasks and data required to manage the technology recovery effort. Usually refers to the technology recovery effort. This is a component of the Business Continuity Management Program.

The two share the common thread in their reference to business continuity planning and its inclusion of disaster recovery within its larger scope.

I will continue this in a subsequent post. For now, let me break down the steps that BCP entails. The process follows these four steps in a logical sequence.

Identification

Identify risks and hazards that confront your business. These can be natural hazards, e.g., flooding and earthquake, or man-made risks, e.g., power outage, theft, fire, attack against your computer network. Obviously you have to draw the line at some point since it is impractical to anticipate some risks regardless of their severity. For example, two key project members in an SAP implementation project I participated in literally met an unfortunate and fatal accident. That incident delayed a major portion of the entire project until replacement personnel were hired.

Assessment

It is possible to quantitatively and qualitatively determine the likelihood, magnitude, and duration of the identified risks. Assessing risks this way allows you to prioritize them. When risks are categorized this way, you can budget your resources more rationally.

Plan Development

You now have the information to create the plans and procedures for preparing your organization to respond to and recover from interruptions. This is a high-level step and as the saying goes, the devil is in the details. This is where senior management, which should have initiated this project to begin with, should return and visibly support the BCP team. The team will need the time to extensively discuss the risks and possible solutions with functional heads. Without that support, the team will find it difficult to get the attention of the functional heads, much less their full-hearted cooperation.

Exercise

In this final step you must exercise the plan. This is the only way to learn what works and what does not. Needless to say, this is another step that senior management must support. Exercising the plan is a continuing activity. In fact, this entire process is performed iteratively. Exercising the BC plans will refine those plans and, more importantly, teach the employees how to respond if and when the real event happens.