Business Continuity Out of the Data Center and Into the Boardroom

By Anne M. McCarthy

Disaster Recovery. What type of picture does such a statement paint? Data center, hardware, MIPS, VUPS, CPU protection, tape backup, earthquake, fire, flood. . . security and ongoing viability of one of the single most critical resources necessary for a functioning business.
Traditionally, disaster recovery planning was solely the responsibility of the data center environment. Organizations have felt secure in knowing that the likely target for disruption is protected. Protection of the data center ensures the organizations ability to process information. However, if the business unit responsible for providing information is inoperative. . . what will be processed? If the business unit receiving the processed information is not functioning. . . what is the point of processing the information?
Statistics indicate that 43 percent of the computer and communications disasters in the past two years have impacted business functions causing delay or failure in the delivery of the affected company’s product or service to its client base. In one regional disaster alone, the August 13, 1990 power outage in the New York City financial district, direct losses and associated costs from business function outages amounted to over $100 million. In addition, approximately 85 percent of the companies declaring disasters suffered impacts in both the corporate data centers and critical business functions. And, while most of the data center “outages” were contained or prevented (1980’s solution), the business areas had difficulty recovering.
In today’s competitive environment, companies cannot afford anything less than maximum operational efficiency. Executives must implement plans and procedures that ensure that growth objectives are met and that the assets are secure. The protection of these corporate assets can take many forms. One of the most common forms falls under the corporate umbrella “business continuity” or “corporate planning.” The corporate planning approach establishes a business continuity program that enables the organization to continue to meet business objectives, meet customer obligations and maintain marketshare. This provides any department within a company with an action plan which identifies how essential business functions will operate despite a business interruption.
The objective of the corporate planning approach is to implement a business continuity program which focuses on resumption of the business. Which daily business functions could you afford to lose without suffering financial loss, regulatory/audit pressure, or problems with customers? What resources do these priority business units require to operate and what are the appropriate steps that must be taken to resume business? Who will make decisions during the disruption and how will they be communicated throughout the organization? Who will communicate with the media and what will be said? These are questions that executives must ask themselves and resolve. If these questions are addressed by MIS management alone, business continuity will not exist.
As a company begins to seriously examine their business recovery process, a systematic approach is advised. As a first step, an analysis must be conducted to confirm the business priorities and identify potential risks or exposures that exist within the organization. Management must decide what the organization’s focus will be during the initial phases of recovery. Once business priorities have been established, an appropriate recovery strategy will be implemented.
The Business Impact Analysis involves the quantification and analysis of corporate risks. It also involves the identification of recovery requirements and alternatives and the establishment of recovery point objectives for each critical business function. This data is then balanced against budget constraints to produce the optimal business resumption strategy at the least expense.
Secondly, appropriate planning steps must be identified, documented, tested and implemented. This provides the organization with a recovery capability.
Recovery Plan Development entails creating a corporate-wide plan to provide the enterprise with the ability to resume priority business functions and fulfill its corporate mission in the event of an unacceptable interruption.
Thirdly, an assurance program must be put in place. This will ensure that once business continuity has been established that it will stay current and grow or change with the business.
Quality Assurance establishes an ongoing system to ensure the validity of the recovery strategy, the documented recovery procedures and ultimately, the recoverability of the organization.
These three components are critical to effective and efficient implementation of a business continuity program. In addition to these components, there are a number of critical elements that must be addressed as the business continuity program is implemented. These include:

• Executive Commitment: The effort toward business continuity must be a “top down” approach with assigned compliance objectives and an established recovery strategy for the corporation. Senior management must then communicate these standards and procedures throughout the organization.

• Department Management Ownership: Each department must take ownership of the program for their respective area and provide the resources as appropriate. Priority will then be given to the project and accurate procedures will be documented.

• Insurance Involvement: Senior management should notify their insurance carriers of the corporate planning effort. A company able to demonstrate improved ability to operate their critical business functions despite an unexpected interruption should be able to negotiate reduced premium rates.

• Vital Records Program: A vital records program must be implemented that ensures proper protection and availability of all critical information. This includes critical paper documents, contracts, legal documents, information stored on PCs, rolodexes, source documents--anything critical to functionality of the organization that cannot be reconstructed through other means.

Corporations today have expanded their internal recovery efforts to account for the consideration of all critical business departments. They have also established full-time responsibility for implementation of these programs. In some cases, whole departments have been charged, contingency planning departments, with proper, timely, and effective implementation of the business continuity program.
Disaster recovery planning has evolved from a data center problem to a corporate risk management decision. Senior management is now called to take aggressive action to protect their business environment, take preventative measures to minimize the impact of a disaster and implement an effective recovery program. Reviewing business recovery preparedness is quickly becoming a survival requirement. Sound business continuity is a concept we can all live with—you can plan on it!

Ms. McCarthy is Manager of Marketing Communications for Comdisco Disaster Recovery Services, Inc.

This article adapted from Vol. 6 #1.

Disaster Recovery Worldİ 1999, and Disaster Recovery Journalİ 1999, are copyrighted by Systems Support, Inc. All rights reserved. Reproduction in whole or part is prohibited without the express written permission form Systems Support, Inc.