Disaster Avoidance and Recovery Planning
One of the most important things for a business is to have a good disaster avoidance and recovery plan. Unfortunately, it is also one of the areas that businesses spend little time or money on. Particularly, when budgets are tight, it is easy to not spend on something that hopefully will never happen. But, if a disaster does happen, all the hope in the world may not help you.
Another challenge in this area is that people often think of a disaster as a large event, such as an earthquake or fire. While these are certainly disasters, a disaster can also be as simple as a lost piece of paper (with all the corporate admin passwords on it!).
A third concern in this area is that companies usually focus on disaster recovery, but forgo planning on how to avoid disasters. You would think this is an obvious thing to do. After all, every company would rather avoid a disaster if possible. But still, this aspect of planning is often overlooked.
Good disaster avoidance and recovery planning looks across the entire organization and develops a plan that covers the gamut of issues from the macro level (i.e. HQ is destroyed) to the micro-level (i.e. a lost diskette). Further, this planning is also a fluid activity. Once a core plan is developed, it is important to revisit it regularly to ensure that it is up to date and accurate.
Regardless of the magnitude, emergencies occur anywhere, anytime, and under any condition. They can be natural, such as a hurricane or earthquake, or they can be "man-made", such as a hazardous material release, fire, power outage, or computer virus. Regardless of the origins of the incident, for the business to survive it is essential to avoid impact to critical business operations and if the interruption is unavoidable to ensure that these systems are reestablished on a timely basis.
Often the most common disaster scenarios (e.g., data loss, data corruption, software viruses, interruptions to data transmission, patch and upgrade compatibility issues, human error, etc.) can be prevented through the practical application of proven procedures and the appropriate implementation of proper configurations, system monitoring and redundancy.
DAR planning should employ a structured, verified methodology to analyze potentially vulnerable areas, define mediation, mitigation and recovery strategies, and implement those plans. Each phase includes concrete deliverables that not only form the basis for the following phases, but also serve as templates for on-going analysis and maintenance of the DAR plans.
Phase 1: Project Initiation
In the first phase of the project, the project scope is defined, key personnel are identified, and an inventory is made of the priority business processes and data. This phase sets the project parameters and establishes executive sponsorship and ownership. The project plan is introduced and refined to a level appropriate for the size of the effort. Most importantly, the team is introduced to a DAR methodology so that each member can begin to assume their role and set of responsibilities.
Phase 2: Business Impact Analysis
After initiation, a vulnerability assessment is performed. This phase focuses on which business processes are most critical to the business and which are most susceptible to interruption. The goal of the business impact analysis is to define the operational, financial and service impact of an interruption to each of the target business processes. The deliverable identifies the cost of an outage over time and hence the recovery time objective. For example, a manufacturing company may be able to keep the manufacturing process going for up to 2 hours without the company's systems. This phase also establishes a baseline for reasonable future investments in disaster recovery planning and avoidance.
Phase 3: Strategy Development
Using the information from the business impact analysis as a foundation, business continuity strategies are formulated and budgetary costs developed. The critical time frames and impacts from the business impact analysis will be used to determine which contingency strategies are viable. Additionally in this phase, disaster avoidance plans are prepared. These plans will be developed, documented and budgeted to define contingency and implementation requirements.
Phase 4: Plan Implementation
It is essential to first develop the full set of remediation and recovery plans, as described above. Few companies can afford to invest in 100% disaster avoidance, so with the complete plans from Phase 2 and 3, the company is now armed with concrete information and data for making informed decisions about their business and how to protect it. The next step in the process is for management to prepare budgets and priorities taking into account cost/benefit and cost avoidance figures. Once this step is completed, clear objectives are set forth for each system, accounting for both disaster avoidance remediation and disaster recovery planning. Teams are assigned (serially or in parallel as appropriate) to work on each system and/or plan. It is important to attend to details throughout, for an incorrect phone number or misplaced data file can derail your recovery efforts.
Phase 5: Testing and Maintenance
Last, and probably most important, through testing and training exercises, you then verify that the plan functions correctly and will be used effectively. By including tailored user procedures, you can also ensure that your staff follows a regular, certified schedule of maintenance, testing, and update procedures. Most DAR plans fail due to lack of testing.
As a last point, it is also important to develop a DAR plan that is manageable. In one circumstance, a relatively small company had a 200 page plus DAR plan. Once they developed it, nobody ever looked at it again. It was so complex and detailed that it was overwhelming. The result, they might as well not have had the plan at all. Part of keeping the plan manageable is to remember that a plan is also somewhat of a tradeoff. It balances avoidance and recovery against cost and risk. Good luck in your planning and may your business never be down.
