A Backup Does Not A Recovery Make
You open the e-mail and it tells you about all the new viruses, worms and other nasty computer bugs making their way around the computer world, but that doesn’t worry you. You backup your data every night and you faithfully take the most recent backup off premises and bring the prior day’s backup to the office the next day. Yes sir, there’s no doubt about it, you are prepared for anything – or are you?
If you truly think you are prepared for anything to happen, you’re not. Don Edwards in his article The Contingency Planner said, “I remember early on making predictions that our entire plan would be fully tested and documented requiring only periodic maintenance within two years. Not quite! And, as most of us now know, the further we dig into the puzzle of recovery the dirtier it gets!” (Disaster Recovery Journal, Vol. 4 No. 2, p. 59.)
Unfortunately, we are living in a fluid world and change takes place at an alarming rate. What is state-of-the-art while you read this article won’t be when you finish. Worse, it seems these days there are more natural disasters and even man made disasters. You don’t have to look very far to read about a hurricane, a tornado or even massive power shortages. Disaster strikes everything – not just computers.
So, how do you protect yourself? You could sell everything, move to a remote part of the earth and live off the land, but even there you have the wild animals and elements to contend with. Better you should develop a Disaster Recovery Plan that will help you move in the direction of true recovery if a disaster strikes. The following article is just a very brief discussion of some of the things to consider in creating that plan.
As we say, this article is very brief. There are, however, resources you can use on the Internet to “flesh out” the ideas in this article. One very good source is the Disaster Recovery Journal. If you take time and review its materials, you will be forced to stop…and think…and, hopefully, act on the suggestions of this article and the Disaster Recovery Journal.
What do we mean by disaster recovery and it’s first cousin – business continuity planning? While there are differences in the specific terms as used by the Disaster Recovery Journal, we will use those terms to mean anything that adversely affects your company’s ability to meet its customer’s needs, which in turn will help to keep both you and your customers in business. That means it could be anything from a simple loss of computer data to the complete destruction of the main operating plant. Since each scenario requires the assistance of different team members and their talents, you have to look at each risk in your operations and devise a plan to overcome the disaster.
With this in mind, let’s take a look at the various general phases of a Disaster Recovery Planning.
The first step is, of course, deciding that your company needs a Disaster Recovery or Business Continuity Plan (BCP). While you may think this is a no-brainer, many managers don’t think about the possibility of the office being carried away by a tornado or some other disaster. They are just concerned with getting the job done today. You’re also talking about a significant expense to properly prepare a BCP.
Next, you will need to develop a general understanding of the planning process and determine the scope of the project. If you are not top management, your next step will be to gain an audience with top management and discuss your ideas. Don’t forget one major factor management will want to know – how much it will cost.
After you have obtained management’s buy-in to the need for the BCP, the next step is to sell it to your co-workers. Why is that necessary? After all, the boss will tell them what to do and they’ll do it! Don’t bank on it. If you are going to develop a plan to resume business when the disaster strikes, it will be an organization-wide effort. Just one person dragging their feet can bring the project down. Don’t let that happen. Obtain the buy-in of your co-workers and then establish a disaster recovery committee. This committee should include representatives of all departments and especially top management. It is this committee that will ultimately define the project.
Next, you need to perform a risk assessment. What are the internal and external factors affecting your business? How can those factors, either working alone or in tandem, create a disaster that you will have to address? Don’t forget there are a variety of factors to consider, including natural disasters, loss of power, strikes at a major supplier or simply the network server blowing up from all the traffic your employees send it.
Once you have identified the risks, you next step is to prioritize the operations/functions performed in each department or business function. Specifically, what are the critical functions that need to be restored first? Is it the shipping department or sales? Don’t forget accounting! Hey, data processing needs to get up and running or none of those departments will be able do their job! Once you get into the process, you will quickly find there are no easy answers. The committee will have to look at all the facts and decide which has priority.
The next step will be deciding what recovery strategies are available to you. In some cases, the only recovery strategy is rebuild and hope the customer base is there when you are back up and running. Sometimes, you can obtain access to a “hot site” where you will have the information and facilities needed to carry on business until your own facility is operational. This alternative is particularly sensitive in financial institutions and the bank examiners regularly check a bank’s preparedness. This step will require an assessment of what facilities, records, supplies, hardware and software are available and necessary.
Determining alternative business continuity strategies will also require hard choices about how much money should be spent and where personnel are to be allocated in the event of a disaster.
After you have looked at and decided the approaches to the BCP, the hard work starts. You need to collect information on virtually every aspect of the organization. You will need to know critical telephone numbers, who to call to replace items of equipment, telephone service, software and hardware. Virtually everything that has gone into the operation of your business has a source of supply that you will need to contact in the event of a disaster.
The plan wouldn’t be a plan and this wouldn’t be a good article if we suggested you keep the results of all of this to yourself. You will, of course, need to document everything you have done. Then, based on the results of your work, you will need to organize the plan into a well-written document detailing the steps to take in the event of a disaster and who will be involved. This will necessarily include various scenarios and different personnel required to meet the recovery needs.
After obtaining management approval, you will need to develop criteria and scenarios to test the plan and then actually test it. Make sure you perform a comprehensive test of all functions to determine where there is a need for change. There will be a need for change on your first BCP and probably everyone thereafter.
After any changes resulting from the testing phase, top management should formally approve the plan. This will lend it credibility and weight in the eyes of other employees. It should also help you get the funding you need to properly administer the program.
The final step comes next year. When you go through all of this again – or at least a major portion of it.
Disasters occur all the time. You needn’t look to far from your office to find some form of disaster – natural or man-made. If you want to maximize your profits and minimize the cost of disaster recovery, a well-written and tested plan is necessary. We can help you with your planning process. Give us a call and let’s discuss your next step.
By the way, have you tested that backup that made you feel so good in the first paragraph of this article? How do you really know it’s working?