Is Your Recovery Plan Good Enough to Save You?

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
The events of the past few months have brought disasters back to thefront of corporate agendas.

Unfortunately, not all organizations realize the critical need tointernalize planning and may figure they will let the government helpthem if the time comes. What they don't realize is that even if adisaster strikes, there may not be aid. They must take care to preservetheir own business continuity.

Organizations simply must take control of their own recovery plans.

Hurricanes like Katrina and Rita are vivid in peoples' minds right now asis the outcry for assistance from the government and privateorganizations. However, assistance isn't always forthcoming.

In September, Wisconsin was struck by 27 tornados that damaged 400 homes.Their request to be declared a federal disaster area to get governmentassistance was denied. Accusations are being leveled that the FederalEmergency Management Agency (FEMA) is spread too thin and can not helpWisconsin, though they would have in times past.

Can you gamble on getting assistance?

Despite living in a city that was below sea level, many in New Orleansdid not have flood insurance, yet were covered for hurricanes -- or sothey thought. Heated debate and lawsuits are arising from carriersdeclining claims based on arguements that the property damage was notcaused by the hurricane directly, which would be covered. Some claim thestorm surge and subsequent flooding is what caused the damage and thatwould not be covered by insurance policies.

The issue is that flooding requires a separate rider that many did notbuy. If those families and businesses do not get reimbursed frominsurance, how will they fair? Have you checked your insurance policieslately against your most likely risks to make sure you have theappropriate coverage to ensure that recovery is possible?

To worsen many already dire situations, some organizations in New Orleansdutifully sent their backup media to offsite storage sites located aroundthe city. Not only did some groups lose their on-site data, but theoffsite data was destroyed, as well.

Given your most likely risks, do you have a backup process thatsafeguards your data from regional incidents? Do you need to guardagainst regional disasters, and if so, how far away must the backupstravel?

The Need for Planning

With just these few examples in mind, when was the last time you and yourteam sat down and ran through the most likely scenarios that threatenyour organization? The careful review should move beyond abstracted risksand focus on layered situations. Move past ''what if we lose power?'' andinstead focus on realistic matters such as ''whatif lightning takes outboth the primary and secondary grids that feed our facility?''.

The power company's communication structure is in disarray and anestimated time to recover is not even available. What must be doneimmediately? What do we do 30 minutes into the outage? What do we do anhour in? At what time do we begin powering down systems and in whatorder? How do we inform employees?

The idea is to use realistic situations to foster dialogue and to captureand formalize ideas that are scattered through the team. The end resultmust be a disaster recovery plan that covers the most likely scenarios.Whether there are three, five or 20 scenarios, the exact count willdepend on the organization and the risks that confront it.

The goal is to plan to the level that management feels is adequate.

Whenever a disaster strikes, even a small one, take the time to reviewlessons learned. Determine what worked well, what did not and reviseplans accordingly.

Business Continuity

Moving beyond disaster recovery is the idea of business continuity.

How will you keep the business running during some kind of disaster? Ifdisaster recovery is concerned about restoring a given service back intoproduction, business continuity planning is concerned with the holisticissues surrounding keeping the business running or getting back up andrunning as quickly as possible to minimize impacts.

Some organizations get hit by a disaster and disappear. We, of course,don't want that to happen to us. If we return to our power example fromabove, think about what business processes are most critical to ourability to stay operating. What is needed to operate? If the automatedsystems are down, can they run manually?

These questions are aimed at understanding the organization'srequirements and then layering IT's capabilities in to support thebusiness. Organizations must review their risks and then develop optionsto mitigate continuity risks.

For details, there are many resources on the Web that have been quietlyevolving. There is a wealth of recommended practices out there to aid inyour planning, including recommendations in ITIL and ISO 17799.Furthermore, discuss matters with your team and industry association toget started.

There are many avenues to consider. Groups that haven't dusted off theirdisaster recovery and business continuity plans since Y2K should get themout and run through them, thinking about the disasters most likely tostrike. The scenarios should be detailed enough that responses aregauged, corrective actions defined and investments approved.

Organizations can't take their responses for granted. If they do, theymight be faced with the day when planning would have made the differencebetween being in or out of business.

Here are some additional resources:

  • Continuity Central;
  • Full OGC Business Continuity Planning Guide;
  • FFIEC Business Continuity Planning Booklet;
  • NC State University;
  • OGC Guidelines for BCP;
  • Texas BCP Guidance.