Disaster Recovery Planning

Don Sadler For many companies, disaster recovery planning has taken on a new urgency in light of the post-9/11 world that we now live in. But in reality, planning for possible disasters or other disruptions in your business is no more or less important now than it has ever been. It just takes a tragedy of this magnitude for many companies to plan for how they would ensure the continuity and viability of their business operations in light of such an event.

Still, studies show that fewer than 25 percent of businesses have a disaster recovery plan in place. Chalk it up to the ever-persistent “disasters happen to somebody else” mentality that still exists with most people. Granted, the chances of being struck by a major disaster or catastrophe are admittedly small, but the stakes are enormous. According to the Gartner Group, 40 percent of companies that experience a disaster are out of business within five years.

What is a “disaster”?

A “disaster” doesn’t have to be something on the scale of a major terrorist attack, fire, hurricane or flood. It can be any type of unplanned event that disrupts a company’s business operations, IT services or use of its facilities for a day or longer. This includes things like power outages and loss of communications (like the massive multi-state power blackout of last summer), equipment or system failure, security breaches, theft and sabotage, and cyber crime.

The process of disaster recovery planning can be divided into two main parts:

1. Devising emergency response procedures to help minimize the impact of damage immediately after the disaster. This focuses on getting critical IT systems and software applications back up and running as quickly as possible.

2. Formulating a plan to keep the business functional in the weeks and months following a disaster. This includes steps for keeping critical business functions operational in order to reduce the long-term impact of business interruption, such as restoring backups and implementing procedures necessary to ramp back up to pre-disaster production levels as quickly as possible.

Completing a business impact analysis The first step in creating your disaster recovery plan (DRP) is conducting a business impact analysis (BIA). This should identify possible risks (like those described above) and quantify their potential impact on your company’s critical business operations and systems. Based on this, you can set priorities as to which operations and systems should receive the bulk of resources to be back up and running first, and how quickly this has to happen. Systems may be classified as follows:

  • Critical — These are functions that your business cannot operate without and that can’t be performed until they are replaced by identical capabilities. There is a low tolerance and high cost to their interruptions.
  • Vital — These functions could be performed manually, but only temporarily. There is a slightly higher tolerance and lower cost to interruption, provided they are fully restored within a certain time frame (such as five days or less).
  • Sensitive — These are functions that can be performed manually at a tolerable cost for an extended period of time without seriously impacting the business. However, this may require hiring additional staff to perform the functions during this time.
  • Non-critical — These are functions that may be interrupted for an extended period of time at little or no cost to the business.
  • Next, the BIA should designate the personnel who are key to restoring your critical systems and examine your existing emergency procedures. It should designate a team to manage recovery efforts, both emergency measures to protect life and property and restoration of key systems and operations. This team’s responsibilities should be planned in detail:

  • Who will notify employees not to report for work, or to report to another site?
  • Who will see that critical data is retrieved from an off-site storage location?
  • Who will communicate with media and government officials during the crisis and its aftermath?
  • The plan itself

    From your business impact analysis will emerge the outline of a disaster recovery plan that will give you a road map detailing the steps you should take to prepare your business for disaster. Your DRP should be a formal written document that is kept stored in a secure location (preferably off-site) and updated as circumstances warrant.

    Many of the steps in your plan will involve simple, common-sense things that you and your employees should do, like making sure supervisors have current home phone numbers for all their reports. Others will involve very detailed and technical processes to safeguard and ensure access to data and secure an alternate physical facility where employees can come to work.

    For some companies, it may make sense to contract with firms that specialize in providing disaster recovery services, These services include disaster recovery hotsites — which are actual physical locations where employees can come to work — redundant data storage, and secure hosting services for both Web- and non-Web-based applications. It is possible for companies with high-availability requirements to have their entire computer, phone and data systems back up and running by the time employees arrive at the hotsite location.

    An invaluable process

    No one knows when disaster will strike. That’s why it’s smart to plan now for the unexpected — just in case. Creating a disaster recovery plan doesn’t have to be an expensive or time-consuming process — but it’s one that will prove invaluable if and when the plan is ever actually put into place.

    Don Sadler is a freelance writer and editor specializing in issues of interest and relevance to businesses and executives. Reach him at don@media3pub.com.

    Category: Business Planning
    Print page