The events of the past few months have brought disasters back to the
front of corporate agendas.
Unfortunately, not all organizations realize the critical need to
internalize planning and may figure they will let the government help
them if the time comes. What they don’t realize is that even if a
disaster strikes, there may not be aid. They must take care to preserve
their own business continuity.
Organizations simply must take control of their own recovery plans.
Hurricanes like Katrina and Rita are vivid in peoples’ minds right now as
is the outcry for assistance from the government and private
organizations. However, assistance isn’t always forthcoming.
In September, Wisconsin was struck by 27 tornados that damaged 400 homes.
Their request to be declared a federal disaster area to get government
assistance was denied. Accusations are being leveled that the Federal
Emergency Management Agency (FEMA) is spread too thin and can not help
Wisconsin, though they would have in times past.
Can you gamble on getting assistance?
Despite living in a city that was below sea level, many in New Orleans
did not have flood insurance, yet were covered for hurricanes — or so
they thought. Heated debate and lawsuits are arising from carriers
declining claims based on arguements that the property damage was not
caused by the hurricane directly, which would be covered. Some claim the
storm surge and subsequent flooding is what caused the damage and that
would not be covered by insurance policies.
The issue is that flooding requires a separate rider that many did not
buy. If those families and businesses do not get reimbursed from
insurance, how will they fair? Have you checked your insurance policies
lately against your most likely risks to make sure you have the
appropriate coverage to ensure that recovery is possible?
To worsen many already dire situations, some organizations in New Orleans
dutifully sent their backup media to offsite storage sites located around
the city. Not only did some groups lose their on-site data, but the
offsite data was destroyed, as well.
Given your most likely risks, do you have a backup process that
safeguards your data from regional incidents? Do you need to guard
against regional disasters, and if so, how far away must the backups
travel?
The Need for Planning
With just these few examples in mind, when was the last time you and your
team sat down and ran through the most likely scenarios that threaten
your organization? The careful review should move beyond abstracted risks
and focus on layered situations. Move past ”what if we lose power?” and
instead focus on realistic matters such as ”whatif lightning takes out
both the primary and secondary grids that feed our facility?”.
The power company’s communication structure is in disarray and an
estimated time to recover is not even available. What must be done
immediately? What do we do 30 minutes into the outage? What do we do an
hour in? At what time do we begin powering down systems and in what
order? How do we inform employees?
The idea is to use realistic situations to foster dialogue and to capture
and formalize ideas that are scattered through the team. The end result
must be a disaster recovery plan that covers the most likely scenarios.
Whether there are three, five or 20 scenarios, the exact count will
depend on the organization and the risks that confront it.
The goal is to plan to the level that management feels is adequate.
Whenever a disaster strikes, even a small one, take the time to review
lessons learned. Determine what worked well, what did not and revise
plans accordingly.
Business Continuity
Moving beyond disaster recovery is the idea of business continuity.
How will you keep the business running during some kind of disaster? If
disaster recovery is concerned about restoring a given service back into
production, business continuity planning is concerned with the holistic
issues surrounding keeping the business running or getting back up and
running as quickly as possible to minimize impacts.
Some organizations get hit by a disaster and disappear. We, of course,
don’t want that to happen to us. If we return to our power example from
above, think about what business processes are most critical to our
ability to stay operating. What is needed to operate? If the automated
systems are down, can they run manually?
These questions are aimed at understanding the organization’s
requirements and then layering IT’s capabilities in to support the
business. Organizations must review their risks and then develop options
to mitigate continuity risks.
For details, there are many resources on the Web that have been quietly
evolving. There is a wealth of recommended practices out there to aid in
your planning, including recommendations in ITIL and ISO 17799.
Furthermore, discuss matters with your team and industry association to
get started.
There are many avenues to consider. Groups that haven’t dusted off their
disaster recovery and business continuity plans since Y2K should get them
out and run through them, thinking about the disasters most likely to
strike. The scenarios should be detailed enough that responses are
gauged, corrective actions defined and investments approved.
Organizations can’t take their responses for granted. If they do, they
might be faced with the day when planning would have made the difference
between being in or out of business.
Here are some additional resources: