Are you Prepared?
How to Accomplish Disaster Recovery and Business Continuity Planning

Are you prepared? Do you know how to begin to accomplish Disaster Recovery and Business Continuity Planning? Have you or anyone in your organization asked: “Can our company survive a disaster?” If you are unsure, it sounds like you need a plan! Being prepared can make all the difference. During calm times, major decisions can be made more effectively and efficiently and those decisions can be tested before a crisis. Arm yourself with knowledge and the ability to overcome any disaster.

Contingency planning should be a company policy. A budget should be in place to develop contingency planning. Programs as important as disaster recovery and business continuity planning should be supported by Senior Management to ensure that the required level of commitment, resources and management attention are applied to the process and procedures. Without Senior Management support, plans often fail, and/or fall by the wayside.

The first thing that comes to mind when you think of a disaster is an event such as a fire, flood, or computer issues, or a terrorist attack.  A high quality business continuity plan will keep your company up and running through any interruptions such as: power failures, natural disasters, supply chain problems and more.  Most recent industry research shows that there are over 200 plus events that can cause a disaster.  Rather than planning for disaster events, you have to plan for the result of an event.  If the event causes inaccessibility to your facility or inoperability of your technology for a specific amount of time such as a day or a week, it would be considered a disaster.  Therefore, we define a disaster as “any event that causes inaccessibility or inoperability to your technology, business functions or facility, and possibly permanently.”  It is rational to believe if you can recover from a worst-case scenario, you will be able to recover from any event.   Most contingency planning professionals differentiate disaster recovery as recovery of technology after disaster and business continuity as recovery of business functions after a disaster.  We suggest that these should be integrated.

Step One– Perform a Business Impact Analysis (“BIA”).  The BIA is the initial information gathering process which is needed before developing the preparedness document or plan. The BIA qualifies and quantifies the impacts of services-affecting or disaster incidents over varied timeframes. The BIA thoroughly scrutinizes - both quantitatively and qualitatively - the impacts of not being able to perform day-to-day technology or business operations. In addition, the BIA identifies interdependencies between departments; disaster incident based timeframe outages, including financial and non-financial impacts as well as legal/regulatory impacts; and, the BIA identifies BCP timeframe objectives.

The disaster impact information that is gathered from the BIA is analyzed and used to define the recovery continuity objectives for the plan.  Also upon completion of the BIA, you should have collected the recovery resource and interdependency information for your applications/systems and/or business operations/processes.  Development of the plan is the next step.

Step Two – Develop your Plan.  In order to achieve an optimal Disaster Recovery Plan (“DRP”) and/or a Business Continuity Plan (“BCP”), you need to do the following:

  • Define the scope of what you are trying to recover from a disaster.  This may be for one facility or multiple facilities, or it may be just a data center
  • Define your Recovery Timeframe Objective (RTO).  This is the target timeframe within which you want to recover from a disaster. The RTO is determined during the BIA step.
  • Choose and implement the recovery strategy that will allow you to achieve your RTO.  For example, if you want to recover the mission critical servers in a data center and your RTO is 24 hours, you could choose a commercial hot site as your recovery strategy.
  • Identify and document your recovery resources.  These are the information resources that will assist you in your recovery activities and will allow you to achieve your RTO.  Alphabetically, the categories of recovery resource information are:

Equipment - an inventory of the equipment you had before the disaster, what equipment you will need for recovery, and what mission critical equipment you may need to replace

Facilities – a description of the facilities, including contact information and directions, which would assist you in your recovery activities.  These may include your offsite storage facility, hot site, command centers, alternate offices, etc.

Forms & Stationery – a description of any special forms or stationery items that would be necessary to achieve your RTO.  For example, blank company checks, etc.

Personnel – detailed contact information on all your personnel will be essential for recovery

Recovery Tasks – the guideline actions and/or tasks that need to be accomplished for recovery

Software – an inventory of the software you had before the disaster as well as the software you will need for recovery, including any temporary software license keys

Supplies - a description of any special supply items that would be necessary to achieve your RTO.  For example, signature stamps, etc.

Vendors – a description of your vendors, including their purpose, contact information and service level agreements

Vital Records – an inventory and description of the vital records you will need for recovery.  The best recovery plan will not work without your vital records.

  1. Document your recovery plan.  The plan must be logically organized and easily reference-able. Your plan must cover the following topics:

Introductory Information - This section should contain the foundation information for your Plan, e.g., scope, recovery objective, recovery strategy, assumptions, etc.

Incident Response - When an incident (potential disaster) occurs, someone must respond with a pre-defined sequence of events and follow the Disaster Declaration Procedures

Notification Procedures - Once a disaster is declared by management, notification of Plan-participants must immediately begin

Recovery Teams Responsibilities, Staffing and Procedures - As soon as the Plan participants have been notified, they will become part of one or more recovery teams – Therefore, recovery roles and responsibilities will be documented in this section

Emergency Procedures and Information - This section is a requirement by external regulators for plans. Items may include evacuation procedures, emergency phone numbers (FEMA, local Red Cross, etc.), offsite storage procedures, etc.

Mission Critical Operating Specifications - Everything you will need to quickly establish your mission critical operations should be documented in this section, e.g., command center locations, service level agreements from your vendors, network diagrams, etc.

Rebuilding/Restoring Specifications and Inventories - At the same time that you are establishing your mission critical operations, restoring and rebuilding should begin immediately

Step Three – Develop a Crisis Management Plan (CMP).  Optionally, it is recommended that a Crisis Management Plan (CMP), often referred to as an Emergency Action Plan (EAP), be created to work alongside the DRP/BCP.  The CMP is the support, command and control parts of business continuity, disaster recovery or continuity of operations plans.

A CMP provides the plan of action on how to manage a crisis, emergency or disaster.

Following an incident which may be considered an emergency, crisis or disaster, the beginning of the CMP provides for initial evaluation and assessment of the incident.  In addition, this plan provides guidance and a plan of action to manage the Emergency Operations Center (EOC) and most importantly, emergency, crisis and disaster incident communications.

Industry research tells us that proper crisis communications is vital to an organization's continued success.  The reason is logical.  It is because all the management efforts surrounding crisis management are articulated through communications.  The way information is conveyed directly affects an organization’s reputation.  We all have one reputation.  Appropriate or inappropriate communication in a crisis can enhance, tarnish or ruin a reputation.

Crisis Management Plans or Emergency Action Plans also provide for the management of security and safety to ensure that facilities are secure and more significantly, that people are safe.  A crisis incident oftentimes results in physical damage to a facility.  As such, these plans need to address salvage and cleaning operations, as well as insurance claim processing and options for alternative real estate/facilities.  To support these emergency actions, finance, legal and human resources need to be part of the crisis management and/or emergency action plan.

Summary

Disaster recovery / business continuity planning is not an easy task, nor is it beyond the capabilities of a person who knows your company and its needs, and has support of senior management.  There are several choices to accomplish planning.  If your company is small you may want to purchase a simple fill in the blanks template. Several companies offer these templates at a low cost.  Another choice is to purchase a recovery planning software product that contains the information and tools to assist you. Several companies offer these software packages as a do-it-yourself option.  The third option is to secure the services of a consulting firm that specializes in business continuity planning and can also provide you with the software tools so that you can become self-sufficient in your recovery planning maintenance efforts.

We also recommend the maintenance of your disaster recovery plan/business continuity plans. The maintenance can mean all the difference between a temporary setback and completely destroying your business by going out of business. Industry research indicates that the testing and updating of your plans at least once per year is necessary. The plans contain dynamic data which is constantly changing from day to day.  The maintenance is recommended to comply with stringent best practices for the protection and recovery of your business, and to gain confidence and peace of mind.  Performing a regular review of your plans and or testing the plans is your due diligence. It is essential for your assurance, it helps to ensure that your company is able to withstand and recover from any major incident.  In the midst of disaster it is not the time to determine the best way to the recovery of your business.  The best advice is to be prepared in any event. Test and maintain the plans. It can make all the difference. In the time of disaster the number one thing is safety first then the plans take effect and the recovery begins.

The only thing more difficult than Planning will be trying to explain why you didn’t.

 

Author: Patty Catania, AMBCI, CBCP
Title: COO of TAMP Systems
Email: patty@tampsystems.com
Contact #: 1-800-252-4080