Disaster Recovery Journal - Summer 2003 Issue- 1603-14

Return to the Summer 2003 Issue

DISASTER RECOVERY
JOURNAL

P. O. Box 510110
St. Louis, MO 63151
(314) 894-0276
Fax: (314) 894-7474
Internet www.drj.com
E-mail drj@drj.com

PUBLISHER &
EDITOR-IN-CHIEF
Richard L. Arnold, CBCP
richard@drj.com

SENIOR EDITOR
Janette Ballman
janette@drj.com

MANAGING EDITOR
Jon Seals
jon@drj.com

COPY EDITORS
Richard Sandhofer
richards@drj.com
Pamela Clifton
pamelaclifton@hotmail.com

ADVERTISING
Robert Arnold
bob@drj.com

_____________

Corporate

President/CEO
Richard L. Arnold, CBCP
richard@drj.com

Vice President
Robert Arnold
bob@drj.com

CONFERENCE COORDINATOR
Patti Fitzgerald, CBCP
patti@drj.com

CONFERENCE REGISTRAR
Merce Knese
mercedes@drj.com

CIRCULATION
Laura Baugh
laurab@drj.com

EXECUTIVE COUNCIL
Patrick Corcoran, IBM Bus. Cont. & Rec. Services
Jeff Dato, MBCP, KPMG
Edward S. Devlin, E.S. Devlin & Associates
Judith Eckles, SunGard Availability Services
James Hammill, CBCP, JMH Consulting Inc.
John Jackson, Independant

INTERNATIONAL
CONTACTS
England: Thom Hetherington
Business Continuity
Phone: 0161-237-1007
thomh@tempus.demon.co.uk

Australia: Anthony J. Harvey
Journal of Business Continuity
Phone: 0011-613-953-0055-8
fax: 0011-613-953-0528
sector@notability.com.au

Japan: Shinji Hosotsubo
Quake Japan Co., Ltd.
Phone: 03-3215-2880
fax: 03-3215-2881

Brazil: Jose Carlos Ferreira
Disaster Recovery Mercosul
Phone: 55 11 3666-9506
conc2000@uol.com.br
www.drms.com.br

Click Here for a Printable Version

PLANNING ISSUES

‘Well, It Worked Last Year!’
Change Triggers For Plan Reviews and Updates

By CHRIS ROHRS, CBCP

As business continuity professionals we know that periodic reviews of our plans are critical. Plans can become as stale as last week’s croissants very quickly.
The environments we work in are very volatile. New technologies appear almost on a daily basis. There is more pressure to roll out new lines of business and applications, new threats emerge and resources continue to shrink. The roles of the players who might be involved in recovery change almost constantly.
All of these changes may impact our plans, and our ability to recover, in some fashion. Plans may have to be reviewed, and possibly updated, out of their normal cycles.
This article offers a list of some changes that may occur in the business or infrastructure/technical environments that should be kept in mind as plans are reviewed, as well as some suggestions on tracking changes. These changes might trigger plan reviews and possible plan updates. This article is also intended to raise awareness of change as it impacts business continuity.
Most of us have regular cycles for plan reviews and exercises. But, the timing of changes almost certainly will not follow these cycles. A plan that is reviewed yearly may become out of date within a few weeks or months because of new business functions, reorganizations or new technologies. Tracking the changes that have occurred can give us some indication whether or not a plan should be reviewed and possibly updated out of its normal cycle. Tracking the changes can also help us in carrying out more effective reviews, and holding more effective exercises. The changes that have occurred may point to areas of the plan that should have closer attention, or may help in developing scenarios for exercises.
A thorough review of a business resumption plan can involve some time and effort. For purposes of this article, “review” means at least sitting down with the plan, and any supporting documentation, and reading the plan to check that it is still valid. If the plan is for the recovery of a single unit, the review should include some of the key staff of that unit. If the plan is for the recovery of multiple units, some staff from those units could be involved in the review process. People from units that might support recovery may also be included. Each organization will have its own guidelines for what constitutes a review and who should be involved. A review could lead to updates to the plan, as well as a walkthrough, tabletop exercise, or even a more robust exercise to validate the plan.

Changes
Following is a list of some changes that may occur in either the business or infrastructure/technical environments. These changes may trigger an out-of-cycle review, and could lead to plan updates and/or exercises. The following list of possible changes is not intended to be exhaustive.

Type of Change
• Add/delete a business function or new line of business
• Add/delete applications
• Add/lose/change key staff
• Change to the business functions’ recovery time objectives (RTOs) or recovery point objectives (RPOs)
• Change the business functions’ back-up strategies or the back-up/recovery technology
• Change the timing of a business function (ex. a function that was run 8 a.m. to 5 p.m. Monday-Friday is now run 6 a.m. to 6 p.m. Monday-Saturday)
• Changes in upstream/downstream business dependencies (timing, applications, interfaces, outside entities, etc.)
• Corporate policy changes
• Functional unit moves to a new physical location, or some other substantial change in the physical environment
• Functional unit’s overall RTO changes (for example, a unit operating from 6 a.m. to 6 p.m. has a 12-hour TO, or less depending on other factors. If the units’ hours of operation change to 6 a.m. to midnight, the RTO becomes six hours, or less.)
• Issues/problems discovered during exercises or during an event
• Move functions to a substantially different technology
• Move the functional unit to a new organization
• New mandatory/legal/regulatory requirements
• New or changed roles for units that may support recovery, or new support units (infrastructure support, computer operations, physical security or travel, for example)
• New relocation sites
• New threats or changed assessment of threats
• Reorganization of the functional unit
• Research into best practices
• Substantial changes to a business function, such as new processes or machinery
• Substantial changes to number of employees or skill set of employees
• Substantial changes to applications

The following minor changes will probably not trigger a plan review:
• Changes to employee contact information (might trigger a communication exercise)
• Hire/loss of non-key staff
• Minor changes in technology, applications or the physical environment

Periodically, the business continuity manager or staff, working with the business partners, should examine the list of changes that have occurred since the last review/update and determine if an out-of-cycle review of the plan is warranted. The above list of triggers could also be used as a checklist to track changes that have occurred.
A series of minor changes to the technology, applications, number of staff, or physical environment may cause enough overall changes in the plan to warrant a plan review and possibly an update or walkthrough.
The business continuity staff, working with others if appropriate, should carry out the plan review. The goal is to decide if the plan itself actually needs updating, and may need a walkthrough or exercise to validate it. The plan review may indicate that a walkthrough or some other exercise is needed to show that the plan still works. A substantial change in the number of people involved in the functional units might not trigger plan updates, but might indicate an exercise is needed to help with training and familiarization.
Review the plan using the list of changes to determine how the individual plan components themselves may have been impacted by the changes. For example, moving the functional unit to a new physical site may have a high impact on relocation instructions. The following table may help track the impact of changes on plan components. Each organization will have their own plan components and their own impacts.

Exercises
The changes that have occurred in the business or technical environments can provide the basis for scenarios for exercises. For example, if a functional unit moves to a new physical location, a scenario for an exercise might involve damage to that location to show that the plan will support relocation from the new location. Or, if the business functions move to a substantially different technology, a scenario might be developed to show that that technology can be recovered within the time frames required.
Reorganizing the functional unit may indicate the need for a communications exercise, or an emergency response exercise, or an emergency command center exercise to show that the flow of control and information is still valid, as well as train the new staff and managers.

Conclusion
Tracking the changes that have occurred in the business and technical environments that our plans operate in can provide us with valuable information that can tell us if a plan needs to be reviewed outside its normal cycle. Tracking changes can also tell what areas of the plan should be addressed during a review, and help us develop exercises to validate our plans and show that they will still work as expected.

Chris Rohrs, CBCP, is an independent consultant specializing in business resumption/continuity and project management. He has more than seven years experience in business resumption and more than 20 years experience as a technical project management/team leader. Rohrs lives in northern California and can be reached at derhexer@aol.com.

To comment on this article, go to 1603-14 at www.drj.com/feedback.