One way to implement a Disaster Recovery Plan would include two stages toward completion. With a commitment to completing these stages, your operation will be protected from the definite consequences of any disaster that may occur.
Step One should consist of the signing of a base disaster recovery contract with a vendor that you feel will be able to satisfy your requirements over a long period of time. Remember that a commitment to disaster recovery is not for the short fall, but for the long term protection of your organization. Therefore since your investment both in time and money will be considerable, you must make sure that this investment is made wisely.
Any disaster recovery vendor should offer contract terms that will fit your particular needs. A five year term may not be in your best interests, therefore your vendor should be able to provide terms that will best serve you and not that vendor. As an example you may require that the initial term be a period of six months with some automatic extension at the end of this period. This will give you the leverage to get out of an unsatisfactory arrangement while at the same time protecting the vendor's investment if the service is as advertised.
Possibly the most important aspect of your contract is if the vendors guarantee that you will have access to the facility in case of a disaster. If there is a remote possibility that you would not have access to the disaster recovery facility, then the vendor should be scratched from consideration. Also, delete any vendor that restricts your usage of the facility to a certain time frame as it only serves to hinder any recovery if you are forced to pack up and move to another site prior to having your home site back in operation.
When negotiating your hardware configuration make sure that you have a certain amount of dedicated resources that are customized to your particular requirements and not generic to data processing. With dedicated resources you will be able to have the required software in place on an ongoing basis which will save time, effort, and money both in testing your plan and in the implementation of that plan should a disaster occur.
Ideally the agreement should contain provisions for an amount of facility usage that are included with the base cost of the service. As an example, you should have a certain amount of allocated hours to initially complete the installation of your software onto your dedicated resources. In addition, you should be granted a certain amount of hours whether monthly, quarterly, or yearly to test and maintain your system and plan.
Finally, get all charges defined so that you do not have any surprises whether testing your system or worse, during an actual disaster. Find out all optional services that the vendor can supply and what the cost will be for the services.
Step Two is to backup your critical data, both business and systems. If there is no data to recover, then recovery will not be possible. In addition, this process will assist you in determining the hardware configuration that you will require at the recovery facility.
You must first conduct a Business Process Analysis to determine the criticality of the data to be recovered in the case of a disaster. During this analysis you will require input from all departments identifying the critical processes as in A-B-C-D with the A category representing the most critical.
One disaster recovery subscriber found that the A Group represented 18%, the B Group 21%, the C Group 30%, and the D Group 31% thus allowing them to allocate resources without wasting valuable resources (such as paying for hardware resources that they did not require). After this analysis, the backup data should then be installed at the disaster facility therefore being available for your use and maintenance. The backup data should also be inventoried at a storage site independent of the disaster facility and your home site.
These procedures should also be followed to include your paper records which would include: production schedules, operating procedures, hardware and software inventories, phone lists, organization charts, vendor call lists, and system manuals (all information necessary to run your system in an unfamiliar site).
You would then maintain a complete inventory of all backup materials with these inventories being distributed to your personnel, the disaster vendor, and the storage vendor.
In Step Three you would plan and implement the installation of your operating system onto the dedicated resources at the disaster recovery facility.
Your critical recovery personnel should interface with the disaster recovery team from your vendor to plan the hardware addressing scheme and set time tables for the completion of this step. Then a definite schedule to complete this step should be set and kept. Once this step is completed you can proceed to Step Four which will be to conduct a complete test of the work done in the previous step.
In Step Five your recovery team and that of your disaster recovery vendor will conduct a formal analysis of your stored data, paper resources and disaster recovery facility resources. After this analysis is complete, you must then change inventories and set final retention periods along with your offsite rotation schedules.
You have now completed Stage I to this phase of your disaster recovery plan. Now you are ready to begin Stage II of this portion of your recovery plan.
During your Business Process Analysis you determined the priorities and criticality of the data to be recovered and installed this software onto the dedicated resources at the disaster recovery facility. Now is the time to review the applications and determine a schedule to keep these programs as current as possible.
Again, priority is your main concern. Therefore, A Group would have a tighter schedule than the B, C, or D Groups. Since you do not want to be having your personnel running back and forth between your site and the disaster facility, you may look at a remote type access to that facility such as 'ProCommon Plus'. This is a low cost program that will allow some remote testing and updating of your system at the disaster facility. Also, make plans to update and test the system at the disaster recovery site every quarter to insure that it will be as current as possible in case a disaster does strike. There are a few things worse in disaster recovery than finding out too late that your recovery system has become antiquated.
At this point in your recovery planning and implementation it is time again to address the contract covering the service that your vendor is providing. You would think that once you have entered into an agreement that you would not have to worry about it again until the initial term is completed. However, just as other circumstances of your recovery plan are subject to change, the contract between you and the vendor supplying the service does need to be checked and updated periodically.
You may require more disk space, tape drive upgrades, additional terminals, printers, or specialized communications which can add to the cost and configuration of your system at the disaster recovery facility. In addition, at this point you should now feel comfortable with your vendor and be prepared to offer to sign for a longer contract term which may help you in pricing the service that they provide along with the additional service that you may require.
Now it is time again to evaluate your plan by conducting yet another analysis of the plan. Be sure to include a team from the disaster recovery vendor after you have concluded your internal analysis.
Start by reviewing your hardware configuration at the recovery facility to insure that there are not any deficiencies here. At this point, the most common inadequacies occur with the communications configuration, so special attention should be directed to this area. One other note regarding your communications: test, test, test! As important as testing is to the rest of your plan, that goes double for the communications.
Now conduct another Business Process Analysis as before to determine if any adjustments need to be made in your critical processes. Also, make any adjustments to your data and the inventories that control them to reflect your findings. During this procedure you should review and update all of the paper records that you established earlier and make sure that these records are kept current at all locations.
As an example, you do not want to be in a disaster mode and find out that one of your suppliers has gone out of business, a critical telephone number has changed or that your organizational chart is out of date due to personnel changes. Having these records up to date will make a crucial difference should you ever find the need to implement your disaster plan in a real emergency.
In the next step of your disaster recovery plan there should be a full scale meeting between all concerned personnel from your organization and that of your disaster recovery vendor to focus on the future direction of your plan and its implementation. This should be conducted as a mini conference at a neutral site where complete focus can be given to the subject. Plan on setting aside one afternoon to conduct this meeting with you and the vendor sharing the cost of having the conference.
Finally, plan for a simulated disaster recovery test once per year. These tests should be conducted as if a disaster actually hit your operation. One company even put yellow tape over the affected areas of their operation simulating that an airplane had crashed into the building. The President of this company wanted to see how his investment in disaster recovery would pay dividends in case they really needed to use the plan. There is a good ending to this note, he was so pleased with the results of the test that the next day he awarded bonuses to the personnel responsible for his disaster recovery plan.
By this time you should be well prepared should a disaster hit your data processing operation. By completing these stages of disaster recovery, maintaining your plan, and having a disaster recovery vendor that responds to your individual requirements, you will be able to guarantee that your business will continue in case a disaster strikes your operation.
It takes diligence, patience, and investment to implement and maintain a disaster recovery plan. However, the returns will far outweigh the effort put into this aspect of your data processing operation.
Mike Underwood, CDRP, is President of UHW Corporation, a computer maintenance and disaster recovery company.