The events of the past few months have brought disasters back to the front of corporate agendas.

Unfortunately, not all organizations realize the critical need to internalize planning and may figure they will let the government help them if the time comes. What they don't realize is that even if a disaster strikes, there may not be aid. They must take care to preserve their own business continuity.

Organizations simply must take control of their own recovery plans.

Hurricanes like Katrina and Rita are vivid in peoples' minds right now as is the outcry for assistance from the government and private organizations. However, assistance isn't always forthcoming.

In September, Wisconsin was struck by 27 tornados that damaged 400 homes. Their request to be declared a federal disaster area to get government assistance was denied. Accusations are being leveled that the Federal Emergency Management Agency (FEMA) is spread too thin and can not help Wisconsin, though they would have in times past.

Can you gamble on getting assistance?

Despite living in a city that was below sea level, many in New Orleans did not have flood insurance, yet were covered for hurricanes -- or so they thought. Heated debate and lawsuits are arising from carriers declining claims based on arguements that the property damage was not caused by the hurricane directly, which would be covered. Some claim the storm surge and subsequent flooding is what caused the damage and that would not be covered by insurance policies.

The issue is that flooding requires a separate rider that many did not buy. If those families and businesses do not get reimbursed from insurance, how will they fair? Have you checked your insurance policies lately against your most likely risks to make sure you have the appropriate coverage to ensure that recovery is possible?

To worsen many already dire situations, some organizations in New Orleans dutifully sent their backup media to offsite storage sites located around the city. Not only did some groups lose their on-site data, but the offsite data was destroyed, as well.

Given your most likely risks, do you have a backup process that safeguards your data from regional incidents? Do you need to guard against regional disasters, and if so, how far away must the backups travel?

The Need for Planning

With just these few examples in mind, when was the last time you and your team sat down and ran through the most likely scenarios that threaten your organization? The careful review should move beyond abstracted risks and focus on layered situations. Move past ''what if we lose power?'' and instead focus on realistic matters such as ''whatif lightning takes out both the primary and secondary grids that feed our facility?''.

The power company's communication structure is in disarray and an estimated time to recover is not even available. What must be done immediately? What do we do 30 minutes into the outage? What do we do an hour in? At what time do we begin powering down systems and in what order? How do we inform employees?

The idea is to use realistic situations to foster dialogue and to capture and formalize ideas that are scattered through the team. The end result must be a disaster recovery plan that covers the most likely scenarios. Whether there are three, five or 20 scenarios, the exact count will depend on the organization and the risks that confront it.

The goal is to plan to the level that management feels is adequate.

Whenever a disaster strikes, even a small one, take the time to review lessons learned. Determine what worked well, what did not and revise plans accordingly.

Business Continuity

Moving beyond disaster recovery is the idea of business continuity.

How will you keep the business running during some kind of disaster? If disaster recovery is concerned about restoring a given service back into production, business continuity planning is concerned with the holistic issues surrounding keeping the business running or getting back up and running as quickly as possible to minimize impacts.

Some organizations get hit by a disaster and disappear. We, of course, don't want that to happen to us. If we return to our power example from above, think about what business processes are most critical to our ability to stay operating. What is needed to operate? If the automated systems are down, can they run manually?

These questions are aimed at understanding the organization's requirements and then layering IT's capabilities in to support the business. Organizations must review their risks and then develop options to mitigate continuity risks.

For details, there are many resources on the Web that have been quietly evolving. There is a wealth of recommended practices out there to aid in your planning, including recommendations in ITIL and ISO 17799. Furthermore, discuss matters with your team and industry association to get started.

There are many avenues to consider. Groups that haven't dusted off their disaster recovery and business continuity plans since Y2K should get them out and run through them, thinking about the disasters most likely to strike. The scenarios should be detailed enough that responses are gauged, corrective actions defined and investments approved.

Organizations can't take their responses for granted. If they do, they might be faced with the day when planning would have made the difference between being in or out of business.

Here are some additional resources:

  • Continuity Central;
  • Full OGC Business Continuity Planning Guide;
  • FFIEC Business Continuity Planning Booklet;
  • NC State University;
  • OGC Guidelines for BCP;
  • Texas BCP Guidance.