Disaster Recovery Planning – Part 2

You are in charge of your firm’s computer operations. It is your responsibility to keep things operational 24×7. But have you adequately addressed your disaster recovery needs? In my previous post “Disasters from A to Z“, I discuss types of disasters that might affect your operations. Disasters come without warning and with different degrees of severity, so it is best to be prepared and have a plan.

In analyzing your level of disaster recovery preparedness you should ask yourself these questions:

1. My firm understands disaster recovery preparedness and we are prepared to recover
2. My firm understands disaster recovery preparedness and we are not prepared to recover
3. My firm understands disaster recovery preparedness but we do not want recovery planning
4. My firm does not understand recovery planning

These are important questions to ask yourself because knowing which category you fall into is the first step to recovering from a disaster.

It can be argued that you can live without disaster recovery planning. This is true. In addition, disaster recovery planning varies from firm to firm, industry-to-industry, and level of technology dependence. So there is no one solution. You will have to develop a plan to meet the needs of your business.

Here is a quick model that might help. Ask yourself what are the key business functions in your company. Now list the IT and business resources that support these functions. Next, assume that you are no longer able to maintain the continuity of one of these functions because of a disruption (see “Disaster Recovery-A Beginners’ Guide“).

Now estimate the financial impact to this loss based on the length of the disruption- one-minute, one-hour, one day. Multiply this number for every business function you cannot maintain. You can now see the costs of a disruption to your operations.

So where do you start?

1. Conduct a business impact analysis (BIA) to develop a “what if” scenario. This will help focus on areas that are critical.
2. Get management approval and buy in.
3. Define your minimum acceptable recovery configuration for your environment.
4. Be detailed in your recovery steps. Everyone and anyone should be able to follow the plan.
5. Cover all critical business units and their dependents.
6. Ensure there is adequate staff to back those that are affected by a disruption including yourself.
7. Keep the plan current. As changes to your environment occur, update your plan accordingly.

Finally, the most important part of disaster recovery planning is testing. This is where you can address deficiencies in your plan. Initial, the more testing you do the better. Once the bugs are worked out of your plan, future testing will go smoothly. Test Test Test. Have business units test and have your auditors review and provide comments.

An effective disaster recovery plan can ensure your business operations can continue with minimal zero interruptions.

Disasters From A to Z

It amazes me that in this day and age there are firms out there with absolutely no disaster recovery plan. I am not talking about a comprehensive 200-page manual but just a simple calling tree. How can any business operate without some level disaster recovery preparedness?

Let’s first define disaster. I would define a disaster as any event that adversely affects your operations. These events can affect your computer operations in any number of ways. Recovery back to normal operations can take anywhere from a few minutes to several hours.

Having worked in NYC for my entire career, NYC has been the center of many events. Many of which I have been through.

Here is a list of disasters that a firm should be prepared for:

Acts of God, Air-conditioning failure, Arson, Blackouts, Blizzards, Boiler explosions, Bomb threats, Bridge collapse, Brownouts, Brush fires, Building collapse, Chemical accidents, Civil disobedience, Communication failure, Computer crime, Disgruntle employee, Denial of Service, Earthquakes, Embezzlement, Explosions, Falling objects, Fire, Flood, Hardware crash, High winds, Heating/cooling failure, Hostage situation, Human error, Hurricane, Ice storm, Interruption in public service, Internet outage, Coup d’état, Pandemic, Water main break, Terrorism, Labor dispute, Lightning strike, Malicious destruction, Military operations, Mismanagement, Personnel non-availability, Plane crash, Phishing, Public demonstrations, Buggy software, Radiology accident, Railroad accident, Sabotage, Sewage backup, Snowstorm, Software failure, Sprinkler failure, Telephone problems, Theft of data, Transportation problems, Vandalism, Computer viruses, Water damage, Worms, Gas leaks

This lists gives you something to think about.