Disaster Recovery Planning: Coming of Age
- Published on October 29, 2007
The terms disaster recovery, contingency planning, business resumption planning and contingency management have been defined, seminar-ed, white paper-ed and presentation-ed in every conceivable way and forum. In today’s corporate world, disaster recovery (DR) has been described as the “Rodney Dangerfield” industry. Its importance is acknowledged but not fully comprehended, recognized but not actually accepted, and supported “as long as it does not come out of my budget.” In short, disaster recovery gets no respect.
It is, however, an industry still in its adolescence, attempting to mature. As standards proliferate so do the numbers of new consulting firms, hotsite vendors and disaster recovery coordinators. In addition, user groups like the Association of Contingency Planners (ACP), the Delaware Valley Disaster Recovery Information Exchange Group (DVDRIEG), and the Contingency Planning and Security Exchange Group are gaining momentum, and their membership is increasing across the United States. These groups address the concerns and questions that developed in the late 70’s and early 80’s, but were left unanswered for the most part. They are also raising new issues and service concerns. So, even though technology has played a vital role in raising the high tech aspects of DR, there are a number of yet-to-be resolved basic questions:
1. How do you obtain executive approval for plan development?
2. What are the criteria in developing a plan of action unique to an organization?
3. How do you obtain budgetary approval?
4. What is the first step? What are the next 10 steps?
5. Is it more cost effective to seek an outside source or develop the plan and recovery capacity from within?
6. How do you implement and stress the term “accountability” throughout the entire organization?
7. How do you educate management on the significance and implications of this industry?
Perhaps the key underlying question, however, is: Why is it so difficult for management to accept this industry and allocate the funds necessary to implement a DR plan?
One answer is that management has based their decisions on what is perceived as “return on investment.” DR, unfortunately, doesn’t play by these rules. It simply does not follow the traditional, accepted business reasoning of “how will this expenditure increase our profitability?” This thought process has been practiced worldwide throughout all levels of business for a legitimate, easily understood reason: It has worked!
With disaster recovery, we now ask these same decision makers to throw out their accepted, proven standards and readily accept something that has a starting point but no end, and does not enhance profitability. Furthermore, budget approval must be a mainstay year after year, not just when profits and stocks are up. It means that the word “accountability,” not just in data processing but throughout the entire organization, is understood, practiced and supported as part of the overall company philosophy.
A case in point is the Exxon Valdez oil spill at Prince William Sound. Mr. Lawrence Rawl, the CEO of Exxon, was quoted as saying if the oil spill proves anything, it’s that you need someone in charge who can “move quickly without a lot of recrimination.” He went on to say that in ten years you’ll see “nothing” (affects the environments). Obviously, following a disaster, whether it affects data processing or another division of the organization, it is the responsibility of the organization to “soften the blow” and to reduce the impact and/or losses. But what about the systematic plan of action to do as much as humanly possible to prevent that event from happening in the first place?
The public and media outrage over the spill was widespread and the estimate for its clean-up is increasing to hundreds of millions of dollars. The point, whether it relates to Exxon, the Hinsdale fire or any other natural or man-induced disaster, is that these are business issues vital to the continued successful operation of that organization, both short- and long-term. The dilemma? With the amount of national and international investment available, how and why should a CEO approve a disaster recovery budget when that same CEO is responsible for increasing stock value, reducing overhead and operating cost, and ultimately increasing net profit!
At the same time, who is responsible for gathering information and justifying this expenditure? Mid-management - a highly mobile and promotion-oriented position. They are given the difficult and frustrating task of “proving” that contingency management must play an integral part in everyday operations. These individuals are faced with the tremendous responsibility of affecting the consciousness and pocketbook of the corporate world.
Furthermore, this industry not only challenges the status quo but also enters into taboo areas of business. For example, it often touches upon internal politics, power struggles, the true value of each department and “what-if” scenarios, issues discussed in hushed voices, usually outside of the organization. Contingency planning not only gathers this type of information but addresses critical business functions, vital to the survivability of that organization. That, in itself, spells trouble. It is the only industry of its kind that touches all departments and personnel where the organizational structure is flattened. Audits of various sizes and shapes certainly review some of these issues but not at the level DR does, whereby answers and solutions must be the norm, not the exception.
Industry-wide agreement with all of some of these points is not, however, the issue. DR, as an industry, is still seeking to legitimize itself within the business community. Upon examining the financial industry where laws have mandated the need to develop and test, we begin to look at the future. A future where DR will develop into one of the most significant, vital and recognized industries in 30 years. What is the catalyst? Why will it develop as an integral part of the corporate world? A primary reason is that the term “American business community: is no longer valid. Instead, it is now the world business community. As the United States has moved from production and manufacturing to a service-oriented nation, the financial and cultural influences of foreign investments here are playing a more significant role in how business is conducted.
Ten short years ago we seldom read in the papers or heard on the television terms such as hostile takeover, merger, acquisition, leveraged buyout or junk bonds or transactions like the Kholberg, Kravis and Roberts (KKR) buyout of RJR Nabisco for $23 billion. In 1989, however, we look at a U.S. trade deficit of $137 billion, a savings and loan debacle that will take an estimated $100-200 billion to straighten out, and a significant increase of foreign-owned real estate in the U.S.
In 1992, free trade in financial services in Europe will become a reality. This will open the doors for U.S. as well as international corporations to expand, and expansion means large investments. The larger the corporation, the greater the risks, and ultimately, the more at risk a corporation is to loss and liability.
Furthermore, the European Business Community, strengthened by the devaluation of the dollar, is planning to increase their exports to the U.S. significantly. In addition, Japan buys such a significant amount of U.S. Treasury Bills every year (which are tied into the Home Mortgage Rate) that, theoretically, it could some day influence the future amount of money available for mortgages.
What does this have to do with DR? Everything! It is the only industry that has the basis and potential to examine an organization not only from the outside in but also from the inside out. With the increasing liabilities on Boards of Directors and executives by stockholders over potential losses, DR will become a key business issue, not simply a data processing and security issue or end-user concern. It will develop into a critical, functioning process, for instance, when a company like KKR is looking at a new potential takeover candidate. Obviously, the role of the large accounting firm will increase whereby the value of that company is reviewed based on net profit, debt and market value. However, DR will take on an equal and, perhaps, a more vital role which is the detailed accounting of how that corporation got to where it is, and what steps it has taken to protect both its assets and operations. The future will be shaped by the growth of not only the American economy but by foreign investments. Stockholders are playing a more active role in the operations of companies, and governmental agencies are under more pressure and scrutiny to increase efficiency and modernization.
Again, financial institutions are currently regulated in their DR responsibilities. Why not manufacturing? The auto industry? The airlines? All one has to do is look at the significant effect any major industry has on the U.S. economy when it is in the limelight and, in fact, it does not want to be. It is logical, and entirely possible, that other industries will be compelled, by federal and other regulations, to develop DR plans.
Is there any one element that will shape DR in the future? The answer is most definitely “no.” Rather, there are dozens of factors, some of which are readily apparent at this time. These may be when a nationally recognized CEO is held personally liable for lack of preventive action following a multi-million dollar loss, or when DR coordinators are promoted and recognized at a senior management level, not only in name only, but as true decision makers in board rooms. From a data processing perspective, the influence of IBM entering the industry will certainly heighten the awareness of corporate decision makers and help to shape DR’s future. We in the industry must also take action and break out of this narrow mold into which we have put ourselves. We must move forward with new ideas and new methodologies that have been researched and tested instead of waiting for that next significant fire, flood or “big one” to strike. It is time to move forward and emphasize the business issues at hand, not the disasters that move executives to react. We cannot discuss critical business functions until we have educated our organizations on the magnitude of these business issues.
The experts within the industry must play an integral part in shaping the future. Vendors must pursue research and development, value added services, quality support staff, and lead the industry in technology and methodology.
Risk managers and disaster recovery coordinators must fully comprehend all the issues at hand and educate not only from an operations standpoint, but from a business perspective. The professionals within this industry must not rely on the past to catapult us into the future. The challenge to orchestrate that change, however, is today.
This article was written by Tom Von Novak of SunGard Recovery Services.
This article adapted from Vol. 2 No. 3, p. 31.