e-Management brings commitment, expertise and proven success to every opportunity.
Solutions

Archive for August, 2009

Are You Prepared for Business Continuity When Disaster Strikes? (Part 2)

Wednesday, August 19th, 2009

By Douglas Pitcher, e-Management

Note: Backup is at the core of any disaster recovery strategy. In the final installment, we will discuss different backup methodologies that provide benefits for business continuity.

Did you know an effective “disaster recovery” plan must not only protect employees and physical resources, but account for data that is confidential, sensitive, and critical to business continuity?   

Business continuity (BC) has its origins in disaster recovery, and therefore reported within the Information Technology (IT) group. Disaster recovery (DR) in its basic form was simply a matter of backing up computers and being able to recover the data at an alternate site. Over the last 10 years, and accelerating after 9/11 and Hurricane Katrina, a need for DR to evolve into something more than a function of IT was realized by government and private sector executives. Business continuity encompasses much more than data recovery.  While business continuity may not reside at the highest executive level, having the support of the senior leadership team is imperative to be effective.

What are critical issues to watch for when creating a disaster recovery plan?

The first major consideration involves the decision to manage this project internally or seek an external provider. In making the decision to either “build or buy” this service, a long list of issues, including: (1) should you invest in owning an internal backup infrastructure? (2) What is the return on investment (ROI) of the build versus buy decision? (3) What is the relative total cost of ownership (TCO) in outsourcing business continuity services versus managing these services internally? and (4) Can an outsourcer provide consistent results across a broad set of business operation?

Achieving the level of business availability needed to meet these demands requires that organizations have access to a vast array of capabilities, whether under normal operating conditions or during unpredictable disruptions or disasters.

How do you go about creating a disaster recovery plan?

Senior leadership or management should start with a business impact analysis (BIA); a portfolio of risk assessments; business and technology profiles; current prioritization of personnel / functions / business units; business and technology availability plans; existing policies and procedures; emergency preparedness plans; health and safety procedures; facility / environmental preparedness; and a communications plan/succession plan.

Senior management will drive the dialog to enable IT to determine a direct mapping of business and stakeholders to technology resources, while viewing themselves as having a shared responsibility to provide continuity of operations, should a disaster occur. In fact, IT should provide a list of all technology plans and a well documented current infrastructure. The documents will provide both senior management and IT an opportunity to validate and include provisions for overcoming potential obstacles and be able to resume operations after any unpredictable disaster.

There is the notion that organizations that have systems without DR must document and address the situation and someone in the organization must accept the risk or put in place a Plan of Action and Milestones (POA&M) to address the issue(s). That way of thinking  is flawed because a DR plan should be treated in the context of business continuity. Therefore, a POA&M should be a list of initiatives that only serve to complement a disaster recovery plan. Even more, senior management should strive to work with IT to develop a list of POA&M’s to address the life-cycle of a DR plan. So  IT managers should begin by creating redundancy, such as disk-to-disk backup, disk mirroring, or off-site locations should be established, possibly through a third-party storage vendor, and all scripts should be stored there in an electronic format. These scripts should be updated and tested periodically as part of a life-cycle management strategy, to ensure accuracy, availability, and recoverability.

Rotating technical staff in testing the plan will ensure that it is not halted due to the absence of key personnel. Up to date insurance policies and inventory should be maintained, as well as a contract with an independent reviewer to test a wide array of different disaster scenarios.  These will help ensure preparedness. Testing at least once a year is important for all projects regardless of size or funding. Likewise, it is necessary to test your plans annually.  Sadly, some organizations will neglect to test their backup tapes; and then they’re surprised later when recovery efforts fail.

Annual test s should be part of a life-cycle management solution. These plans should include provisions for overcoming every thinkable obstacle—from the failure of traditional communication and travel methods to the absence of key personnel and the complete destruction of facilities. Key employees must be made aware of these plans and their roles so they know exactly what is expected of them during an emergency.

Remember, the final installment will cover different backup methodologies that provide benefits for business continuity.  In the meantime, feel free to comment on this thread.  We are interested in knowing…

What issues keep senior directors or executives awake at night?  Is business continuity or a lack of a disaster recovery plan on their lists?