When the economy takes a turn in the wrong direction in order to meet profit projections, most organizations ask their employees to do more with less. Some employees say, “Why don’t we just increase revenue?”
The answer is the hard approach and is very uncertain. A more positive way and what is normally preferred by senior management is to hold down expenses. The cost savings flows straight to the bottom line when employees are laid off and projects/programs are cut. One such project/program that almost always gets cut is the disaster recovery/business continuity planning program.
“This should never be the case. When employees leave an organization, they take with them intellectual capital that may be needed should a disaster strike the organization,” said Tommye White, CBCP,CRP, a senior consultant with RPG in Arlington, Texas, after she retired from the State of Texas, Office of the Comptroller, where she was in charge of the disaster recovery/business continuity program.
Experts agree that employees recover from a disaster, not computers. The loss of these employees and their experience and understanding of their individual jobs creates a breach in the organization’s ability to recovery should an outage/disaster occur. The intellectual capital loss coupled with disaster recovery/business continuity plans that are not up to date and which do not include all critical business needs will definitely strangle most corporations.
“In times of economic uncertainty one way to insure as much intellectual capital as possible is preserved is to have a robust disaster recovery/business continuity planning program,” said Tracy Cowan, CBCP, CRP a senior disaster recovery/business continuity consultant with The Consultants Source in San Antonio, Texas. “Updated and practiced plans and staff expertise is the key to securing a corporation’s ability to recovery in a timeframe that will assure continuity of critical business. A well managed disaster recovery/business continuity planning program will be the biggest self examination an organization will ever do of itself and will pull more critical information into one location than exists anywhere else in the organization.”
The organization needs only to look at its own mission statement to see how important it is for the organization to function in the designed manner. If a disaster strikes, will the organization be able to continue to meet its service level commitment to timely and efficiently deliver its goods and/or services? There are seven basic questions that all levels of management within the organization need to answer in order to assure that the organization will be able to meet its mission statement and service level commitment to its customers, vendors, internal departments who depend on one another, its shareholders, and other interested parties if and when a disaster strikes. The seven basic questions that management must answer are:
What Needs To Be Done?
Each department develops a list of all of the processes that take place within their department. For example: payroll, general ledger, accounts receivable, accounts payable, commercial loans, and demand deposit accounting are all processes (the collection of data and the material required to accomplish the processes such as collecting the time sheets, entering the information into the file, etc.).
Why Does It Need To Be Done?
The best way to answer this question is to conduct an in-depth study, commonly referred to as a business impact analysis (BIA). One of the main deliverables of the BIA is the documentation of the contributions the department and its processes make to the organization, both from a financial and service level. These processes can now be ranked based on facts, not emotions, as to their overall importance to the continued operation of the organization and the need to insure they are functioning when needed.
When Does It Need To Be Done?
During the BIA recovery time objectives (RTO) are developed for each process. This is in conjunction with the contributions the process makes to the organization and what consequences there will be to the organization if it is not able to function within an acceptable time frame.
Where Is It To Be Done?
Today each process is performed at a given location. When a disaster occurs and the normal work site is inaccessible but there is a good disaster recovery/business continuity plan in place, the alternate location will be documented where the process can be performed. This saves time and money.
Who Is Going To Do It?
The disaster recovery/business continuity plans define the team that will be responsible for the performing of each process. It will list trained alternates who can take the place of the responsible person or persons (team member or team members) if they are not available.
How Is It To Be Done?
A number of fact finding meetings need to be held during the plan development in order to develop a step-by-step set of tasks for each process that when followed will allow the process to be recovered within an RTO acceptable to management. Each process must be examined from a vertical perspective as if it is the only process being recovered. During these meetings and the sharing of knowledge by the employees most knowledgeable of the process (the steps needed to recover it and the resource requirements) is where the exchange of knowledge and the preservation of intellectual capital take place.
What Resources Are Needed To Do It?
Every resource needed by a process, internal and external, automated and non-automated, in order for it to function within the established RTO, needs to be documented and verified. This includes procedures, equipment/hardware, software, files (both electronic and hard copy), supplies, space requirements, furniture, telephone lines (voice and data), people skills, call trees, security requirements, floor plans, vendor information, customer information, and any other requirements needed to insure this process can function in an acceptable manner. The information may be documented within the disaster recovery/business continuity plans or stored somewhere else and only referenced within the disaster recovery/business continuity plans.
In conclusion, plan developers need to conduct formal training sessions to make sure that everyone in the organization knows what role they will play if and when the disaster recovery/business continuity plans would need to be implemented. These plans should be tested by starting with several formal team by team table-top tests. After table-top tests are successful, an all team test/exercise should be conducted. A formal maintenance procedure and schedules should be developed and followed.
By following these suggestions and understanding the financial and operational impacts of an outage/disaster, management can now determine how valuable disaster recovery/business continuity planning and the retention of critical staff can be for an organization. Maintaining the plans and continuing the training and culture are critical to the ongoing success of the continuity program and ultimately recovery if an outage/disaster should occur.
Norman L. Harris, CBCP, CRP, is president of Harris Recovery Solutions, Inc. and is recognized as the founder of the disaster recovery planning industry. During the last 30 years he has consulted with more than 1,000 clients and conducted more than 500 seminars including “BCP Made Simple,” “The Command Center,” and “Essentials of Disaster Recovery/Business Continuity Planning.” He has presented nearly 1,100 speeches on the subject of disaster recovery/business continuity planning and has appeared on many television and radio programs discussing the subject. As a diligent author, Harris has contributed articles to Newsweek, USA Today, The Wall Street Journal, Computer World, Disaster Recovery Journal, Bank Systems and Equipment, CRISIS Magazine, Disaster Resource Guide, and many more. He coined many of the terms commonly used in the DR/BCP industry, including “hot-site,” “cold-site,” and “warm-site.” Harris initialized “disaster recovery planning” as the standard name for a new and rapidly growing industry. He can be reached at (614) 889-0700 or firstname.lastname@example.org.
"Appeared in DRJ's Spring 2009 Issue"