Question:
I am looking for best practice information on the frequency of plan reviews. I am newly hired into the DR Coordinator role for my company and am debating with IT directors the merits of frequent reviews as opposed to infrequent, limited reviews.
My stance is that quarterly reviews will keep the plans in working order and should limit the overall amount of "catch-up" work that occurs when a review is performed. The opposite side to this is something along the lines of bi-annual reviews - with one of the biggest arguments being that the current annual reviews take too much time and are hard to accomplish as it is.
Once an organization has plans in place, how often is a formal review conducted?
Answer 1:
First, the frequency and depth of review is vital
to the currency and viability of the plan. What good would it be to have
a great plan if a disaster occurs and the home phone number of a key recovery
team member is no longer correct, or a critical change to an application
or database has been made and not incorporated in the recovery procedures.
What if one of your business owners requirements have changed and the
plan has not been sufficiently modified to reflect the needs.
That said, a lot can be
done to insure the changes that are necessary are made on an ongoing basis
rather than quarterly or even monthly. The change management, and asset
management processes should include input to the plan. So should personnel
changes, changes to business applications or processes, etc. One of the
reasons recovery planning software is popular especially with larger organizations
is that it enables changes to the plan to made at lower level within the
organization (i.e. within a specific IT group or business unit). But staff
must be trained to use the software and awareness of the need to update
communicated. If software is not an option then the best route to ensure
the currency of your plan is assign certain update tasks for specific
parts of the plan. You should have executive sponsorship for delegating
these responsibilities.
Once you have divided up the update responsibilities your task becomes
monitoring the updates rather than making all them yourself. One person
cannot ensure the recoverability of an organization. It is an organization
responsibility and your job is to facilitate and monitor the work.
Dean A. Izett (CBCP)
To build on Dean's excellent comments, a practical solution may be to do quarterly (or monthly) updates for contact information if automatic updates are not possible, and biannual or annual updates for the rest of the plan components.
My best,
Terri
Terri Kirchner, MBCP, CCP
Hi Brad,
You're probably not going to like my initial answer - "It depends."
Let me explain my stance here. In my 15 years in the business, I've seen
many plans which require constant tinkering (pardon the mechanical humor
there) and others which are more static; thus, my "It depends"
philosophy.
In a "best practices" world, change management for contingency
plans is nearly automatic - as production (people, process or technology)
changes, so do the plans. Examples include employee turnover, manual process
becoming automated, new application/system introduced, physical location
moves, new phone switches/area codes, etc. - each of these were to be
done immediately instead of waiting for one, two or three months. When
I was a practitioner, I had plan maintenance inserted into the supervisor's
monthly status checklist, so that they could do a regular review of the
changes in the workplace and determine whether the plans were impacted.
Overriding this process was the insertion of Business Continuity into
the new hire and new manager training, as well as the assignment of accountability
for Business Continuity in every job description from Supervisor to CEO.
Because "nirvana" does not exist everywhere, my advice would
be to take a good look at each plan separately and tie the change management
process to the rate of information change and the criticality of the business
process driving the plan. Some groups may have nearly daily changes and
be near the top of the recovery (or availability) food chain - these plans
HAVE to be updated near-real time due to their heavy impact on the well-being
of the organization. Others (i.e. Audit is a typical example) are more
stagnant regarding change and may not require such vigorous change management
requirements.
Regardless, I always had folks reviewing the plan contents monthly, at
a minimum, with an emphasis on ongoing change management for key people,
process or technology changes midstream. It's a culture change and, if
done correctly (i.e. via web-based software), is rather painless if the
end user is persistent. Just remember - the longer the plan goes unchanged,
the edits will need to be made, leading to more work required to update
it.
Personally, I believe semi-annual updates are just provoking the Furies
and the Fates - unless, of course, your organization remains static for
six months at a time. :-)
Hope this helps...
Jeffrey M. Dato, MBCP
Senior Manager - Risk & Advisory Services
KPMG
Hi Brad . . . at SunGard we typically recommend the following:
Quarterly updates on resource information
(contact lists, equipment
lists, vital records lists, etc). This is the information that tends to
change most frequently.
Semi-annual reviews on recovery strategies and procedures
Reviews and updates should also be done when ever a "significant"
change
takes place, such as a reorganization, new software implementation, etc.
We also suggest annual exercises, at a minimum. These exercises include
alternate site tests, walk through exercises, etc.
Hope this helps.
Judith
_____________________________________
Judith Eckles
Sr. Director, Special Projects
SunGard Availability Services
The responses reflect the views of the individual EAB member, and do not necessarily reflect the views of their employers, the DRJ, or the EAB as a whole.