Is Your Recovery Plan Good Enough to Save You?

The events of the past few months have brought disasters back to the

front of corporate agendas.

Unfortunately, not all organizations realize the critical need to

internalize planning and may figure they will let the government help

them if the time comes. What they don’t realize is that even if a

disaster strikes, there may not be aid. They must take care to preserve

their own business continuity.

Organizations simply must take control of their own recovery plans.

Hurricanes like Katrina and Rita are vivid in peoples’ minds right now as

is the outcry for assistance from the government and private

organizations. However, assistance isn’t always forthcoming.

In September, Wisconsin was struck by 27 tornados that damaged 400 homes.

Their request to be declared a federal disaster area to get government

assistance was denied. Accusations are being leveled that the Federal

Emergency Management Agency (FEMA) is spread too thin and can not help

Wisconsin, though they would have in times past.

Can you gamble on getting assistance?

Despite living in a city that was below sea level, many in New Orleans

did not have flood insurance, yet were covered for hurricanes — or so

they thought. Heated debate and lawsuits are arising from carriers

declining claims based on arguements that the property damage was not

caused by the hurricane directly, which would be covered. Some claim the

storm surge and subsequent flooding is what caused the damage and that

would not be covered by insurance policies.

The issue is that flooding requires a separate rider that many did not

buy. If those families and businesses do not get reimbursed from

insurance, how will they fair? Have you checked your insurance policies

lately against your most likely risks to make sure you have the

appropriate coverage to ensure that recovery is possible?

To worsen many already dire situations, some organizations in New Orleans

dutifully sent their backup media to offsite storage sites located around

the city. Not only did some groups lose their on-site data, but the

offsite data was destroyed, as well.

Given your most likely risks, do you have a backup process that

safeguards your data from regional incidents? Do you need to guard

against regional disasters, and if so, how far away must the backups

travel?

The Need for Planning

With just these few examples in mind, when was the last time you and your

team sat down and ran through the most likely scenarios that threaten

your organization? The careful review should move beyond abstracted risks

and focus on layered situations. Move past ”what if we lose power?” and

instead focus on realistic matters such as ”whatif lightning takes out

both the primary and secondary grids that feed our facility?”.

The power company’s communication structure is in disarray and an

estimated time to recover is not even available. What must be done

immediately? What do we do 30 minutes into the outage? What do we do an

hour in? At what time do we begin powering down systems and in what

order? How do we inform employees?

The idea is to use realistic situations to foster dialogue and to capture

and formalize ideas that are scattered through the team. The end result

must be a disaster recovery plan that covers the most likely scenarios.

Whether there are three, five or 20 scenarios, the exact count will

depend on the organization and the risks that confront it.

The goal is to plan to the level that management feels is adequate.

Whenever a disaster strikes, even a small one, take the time to review

lessons learned. Determine what worked well, what did not and revise

plans accordingly.

Business Continuity

Moving beyond disaster recovery is the idea of business continuity.

How will you keep the business running during some kind of disaster? If

disaster recovery is concerned about restoring a given service back into

production, business continuity planning is concerned with the holistic

issues surrounding keeping the business running or getting back up and

running as quickly as possible to minimize impacts.

Some organizations get hit by a disaster and disappear. We, of course,

don’t want that to happen to us. If we return to our power example from

above, think about what business processes are most critical to our

ability to stay operating. What is needed to operate? If the automated

systems are down, can they run manually?

These questions are aimed at understanding the organization’s

requirements and then layering IT’s capabilities in to support the

business. Organizations must review their risks and then develop options

to mitigate continuity risks.

For details, there are many resources on the Web that have been quietly

evolving. There is a wealth of recommended practices out there to aid in

your planning, including recommendations in ITIL and ISO 17799.

Furthermore, discuss matters with your team and industry association to

get started.

There are many avenues to consider. Groups that haven’t dusted off their

disaster recovery and business continuity plans since Y2K should get them

out and run through them, thinking about the disasters most likely to

strike. The scenarios should be detailed enough that responses are

gauged, corrective actions defined and investments approved.

Organizations can’t take their responses for granted. If they do, they

might be faced with the day when planning would have made the difference

between being in or out of business.

Here are some additional resources: