CIOs typically plan for systems recovery in the event of some kind of network outage. But they often don’t take the next critical step—ensuring business continuity and operational functions. In stopping short, they put the company at risk of losing customers, reputation, and revenue.
To develop a sturdy disaster recovery and business continuity plan, experts and TechRepublic members advise CIOs to work alongside business partners to identify mission-critical business processes. They also must consider operational and logistical scenarios. And lastly, enterprises must test and maintain disaster response plans regularly.
Analyzing business processes and IT systems
To overcome the traditional IT-centric approach to disaster planning, Scott J. Darling, a TechRepublic member who manages product development at an accounting and tax consultancy, recommends a two-pronged, team-based approach:
- The first prong features teams from each operational division. Each team is responsible for outlining the essential business processes for its respective division.
- The second prong focuses on core corporate processes—sales, regulatory, or cash management. CIOs might consider structuring teams around each of these core corporate processes if the staff number and complexity warrants multiple teams.
As the various teams analyze the business processes, it becomes clear how the underlying technologies relate to each other, according to Darling. This, he added, also demonstrates the interconnectedness of IT processes and businesses strategies.
After leaders have completed the analysis, the business unit teams and the core process teams should then develop recovery plans around three scenarios:
- Manual recovery, or a means of staying in business without any of the IT systems in place
- Interim recovery, in which only a few workers have limited access to systems and desktops
- Full recovery, in which all systems are restored and seats and access have been established for everyone
This methodical approach is certain to identify IT's role in the total recovery process, explained Darling.
Yet as another TechRepublic member explains, the job doesn’t end there.
Include operational and logistical considerations
A complete disaster and business availability plan must prepare for upheavals within physical operations as well as anticipate the logistical needs in overcoming them, as this anecdote from TechRepublic member Kyle Kuda illustrates.
Late one Friday evening, the IT specialist received a call at home from his company’s security monitoring company. A power spike had tripped the surge protector, causing the UPS backup to kick in. "When the batteries were drained, the system went into a bypass mode, allowing nonconditioned power into our UPS," Kuda explained. A second power surge started a fire in the UPS.
Kuda's business continuity response team quickly declared the incident a disaster, triggering the planned response: phone calls to hardware suppliers, employees, a cleaning company, and phone system reps, and a plane trip to the cold storage site in another city to restore lost data—an activity the company had tested the year prior.
By Monday morning, the team had restored the server room and most functionality. To customers, it was as if nothing at all had happened, added Kuda.
The need to test and update plans
One important part of Kuda's plan included a test of the IT and logistical response. Such drills should occur at least once a year, according to Eric Beser, TechRepublic member and CEO of Owings Mills, Maryland-based Ennovate, Inc. Beser's firm, which provides business continuity services, recently published a free e-book, A Guide to the Perplexed Business Owner: Helping Your Business Survive the Unexpected Shutdown. The book provides tips on how to do business continuity and emergency planning.
Beser said plans should be tested when a company is moving operations or relocating a data center, or else annually. He also recommends having the response team leader randomly select people from the response team to be "no longer available." This prompts team members to crosstrain in each other's domain areas.
"During these tests, I'll ask a CFO of a company if he can recover financial data," explained Beser. Usually the answer is no, which demonstrates a possible weakness in the logistical response to the plan, he added.
Following mock drills and test, companies often learn important lessons—for instance, that they have not provisioned for an emergency meeting place if the office suddenly becomes incapacitated. Response tests might also reveal the need to maintain and update documentation, including service phone numbers, service plans, account numbers for all systems, and vendor relationships including financial services.
These disaster recovery plans should be updated any time a change is made in company policies, procedures, equipment, or key personnel, and then shared with all employees and involved vendors.
Laying the groundwork can save millions
The bottom line of proper disaster recovery and business continuity planning is the difference of a few thousand dollars to restore lost equipment or the possibility of losing millions in equipment and revenue if the disaster affects client business.
"If we had not been prepared and been able to get back up and running in less than 48 hours, the cost…would have been much more,” wrote Kuda about his server room disaster. “The loss of confidence in our business continuity would have caused clients to pull their business. A few thousand dollars in insurance vs. a few million in lost revenue….It’s no contest."