Surviving A Disaster Takes A Plan, Not a Miracle!
- Published on October 29, 2007
Successful business resumption is a result of planning, and to develop a full-scale plan requires time and resources. What is meant by "planning?" If your company was hit with a disaster, are you certain that there are procedures "to put into action," and that your key people are aware of their responsibilities and know how to respond? Today the rewards for having a business resumption plan could be many, since the question seems to be, "When will disaster strike?" not "Will disaster strike?" The only effective way a business can diffuse the impact of a disaster is to prepare (through planning) for disaster.
The purpose of a business resumption plan (also referred to as contingency plan) is to restore an organization's critical business operations as quickly as possible after an unforeseen disruption, thereby minimizing the operational and financial impact. A disaster can strike the business community in many forms, such as: fires, tornados, hurricanes, power blackouts, computer viruses, or employee sabotage. After the Wall Street blackout in 1990, Hurricane Andrew and the San Francisco earthquake in 1989, and the World Trade Center bombing in 1993, the importance of contingency planning should be even more apparent and urgent to business executives. Because of advances in technology and changes in the way business is conducted, there are disasters occurring today that could not have happened 10 years ago. Contingency/resumption planning is no longer an issue for just the data center, it's a management concern, and should be viewed as an investment in the company's survivability and continuity.
Developing a plan for business resumption requires the planner to think systematically. The following steps are basic steps used in planning for contingency:
1. Obtain senior management support
2. Perform business impact analysis (impact/cost to the business unit of service or specific capability)
3. Perform risk analysis
4. Develop action plan (actions to take, resources to use, procedures to follow before, during and after a disastrous event)
5. Perform realistic testing on a regular basis
6. Maintain the plan (auditing, updating and modifying)
Let's look at each of these steps:
1. Obtain Senior Management Support. Recovery/resumption planning is an executive management issue. The consequences of a disaster are an executive management issue. The consequences of a disaster are real, and severe monetary losses could be incurred without a well developed recovery/resumption plan. The recovery/resumption plan is like insurance. No one wants to risk being without it, but at the same time you hope never to use it.
2. Perform Business Impact Analysis. One of the most important aspects of a recovery plan is to determine the critical business functions of the organization. This establishes the value of each unit as it relates to the functioning of the total organization. Business entities have different time frames in which they can be interrupted without causing a significant negative impact on the organization.
Each area should be evaluated and ranked as critical, necessary or optional ("Critical " in this context refers to those having severe financial impact or legal/regulatory requirement in the event of loss). Questions should be asked such as: What would happen if the business functions were not performed following a disaster?
What percent of income would be lost if the business processes (both automated or manual) were interrupted for days or weeks?
3. Perform Risk Analysis. The key to minimizing interruptions is to identify the critical areas of vulnerability, and determine the potential effects of various types of disaster. "What is at risk if it does happen?" The idea is to pinpoint the loss exposures, estimate the interruption and the potential financial impact.
At this point, the cost to minimize or eliminate exposures is then evaluated. This step also includes recovery strategies - decide how much and where to invest in avoiding disaster, determine resource requirements, identify and analyze recovery alternatives, and cost each of the alternatives.
4. Develop Action Plan. The action plan differs from organization to organization. There is no such thing as a "one size fits all" in clothes or action plans. The business resumption plan is the organization's "predefined game," to resume business operations on timely basis. It should be flexible and designed to eliminate as many unknowns as possible before a disaster occurs.
The detailed procedures should focus on the whole business environment, protecting all aspects not just the computers, telephones or structures. A well-developed plan should identify the teams, responsibilities, how testing will be done, and how the plan will be maintained.
Each business unit should have a business continuity plan that is a subset of the corporate plan.
5. Perform Realistic Testing. "You play like you practice." Successful recovery/resumption depends on everyone knowing the plan and being able to carry out their part. The plan needs to be tested (or, new term "exercised") to verify that the strategies will work. A written, but untested plan may be worse than not having one at all. In three years of participating in the testing of the USAA FSB system recovery exercises, the results of each were different. Changes that had occurred since the last exercise may not have been noted, and problems as a result were often undetected until the exercise.
An untested plan is of limited value, and could lead to a false sense of preparedness. Testing is also a training tool, and may reveal aspects of the plan that are inadequate or unclear.
6. Maintain the Plan. The plan is a living document; it must be continually updated to be of value in a dynamic organization. People move, areas reorganize, new equipment is purchased, and so on. As changes occur, those changes should be reflected in the plan. Any problems or failures during testing may identify a required revision to the plan.
"Service to our members" is our commitment. We've never heard "service to our members if we do not have a disaster." Is USAA among the few who will never see a disaster? All organizations need a business resumption plan. If a disaster occurs, the organization will lose time and money, however, with a plan that loss is minimized and will allow the company to survive.
Business resumption is both a management and an asset protection issue. The ability to maintain business continuity, or to regain it in a timely manner is the asset the plan protects. An organization that plans ahead for disaster is investing in it’s continuity; the organization is in a better position to recovery and resume operation. That's just good business.
Edith Burns is a Contingency Planning Analyst for Information Systems at United Services Automobile Association (USAA), in San Antonio, Texas.