Prepare or FailWritten by Mike Sheehan Saturday, 17 November 2007 22:34
you’re preparing to fail"
— Bobby Collins
This article is intended to provide relevant and factual information to help you plan your DR resources. After experiencing far too many corporate disasters, most plans fail to appropriately measure personnel factors. For instance, during a major hurricane, many employees may be unable to make it to the control center, and most really did not care about the company at that point, when more pressing family matters were of importance. So if you really want dedication, factor in the care of employees and their families to ensure commitment.
A comprehensive business recovery program involves/considers coordinated planning, risk evaluation, impact analysis, alternative strategies, facilities/utilities, data/physical security, back-up of vital records, teleprocessing (TP), emergency response, restoration, public relations, communications with public authorities, training, auditing, and testing.
5.Coordination with Public Authorities
6.Public Relations & Crisis Communications
10.Plan Maintenance & Exercises
Other factors for consideration include disaster predictability, speed of plan implementation, rapid notification of team members, personnel availability, power generation, electrical capabilities, and simple but essential concerns such as air conditioning, water supply, and consumer products.
The above components will assist contingency planners to identify cost/benefit analysis, budget limitations, risk mitigation, facility disruption, liability concerns, recovery priorities, standard procedures, policy coordination, compliance with statutes/regulations, contractual obligations, media relations, and communications with key customers, suppliers, agencies, shareholders, and corporate executives.
It is easy to see that management of technological assets is becoming a prime motivator, and is driven by regulatory requirements in some cases. For instance, not only is it sound business practice to implement this plan, but many financial auditors are fast to illustrate the exposure, and compliance is sometimes mandated within certain time-frames. Another alternative is to obtain business interruption insurance to prevent losses, but the more proactive strategy is to minimize the impacts, based on recovery time objectives.
Since vital records are irreplaceable and may cause financial havoc, their well being and rapid availability is essential. On-site back-ups are often of little use, and typical contingency plans should assume these records are destroyed, so the status of the current off-site repository becomes a vital recovery factor. Even when using a remote recovery site, typical recoveries range from 12-24 hours, so automation and business resumption are of primary importance.
An important note is that while 70 percent have plans, most do not test their plans, only 12 percent have an effective plan, and costs average $19,000 per hour of down-time. Prudent fiduciary managers should consider these staggering data, since preparing for disaster recovery is similar to the Year 2000 planning process.
Without vital records, immeasurable fiscal consequences may result from inaccurate record-keeping, accounting/inventory omissions, customers seeking other products/services in the interim period, and potential long-term losses due to customers never returning due to lack of trust or reliability.
Since many businesses rely on automated informational technology, general data-processing considerations would include management of technological assets, manual processing techniques, reconciliation strategies, network dependencies, command center location(s), recovery facilities, mobile recovery, tape accessibility, communications, and hardware/software reliability.
Specific data concerns include data storage, back-up, retrieval, synchronization, continuity, logistics, and speed. Although remote mirrored DASD is often considered, it is a huge expense and still does not absolutely guarantee restoration. A combination of strategies is often necessary for true and absolute recovery within reasonable time-lines.
Proper evaluation of alternatives, and actual drill exercises become even more important when viewed in light of vital record requirements. It would be ideal to have localized back-up availability, secure off-site redundancy, and a way to synchronize data recovery instantaneously.
Most companies cannot afford all three of these luxuries and instead opt for some combination of the above. A reasonable recovery time at a reasonable cost is often desirous, since vast improvements in either arena may raise prices exponentially. One critical ideal is to have certain applications recoverable before others, such as ATM functions becoming available before retirement rosters.
Also, it is beneficial to have fast, automated, and error-free daily back-up of files to save countless repetitive man-hours inherent with JCL rewrites. This understated process also greatly reduces the weeks and months of planning for recovery drills.
Daily back-ups, automation, and recovery times are all inter-related, and should be tied together into one cohesive response plan utilizing appropriate solutions based on cost effectiveness and business continuity objectives.
With these precautions, planners can reduce the response team personnel requirements, and prepare for unannounced drills, which are typical of real time disaster scenarios.
Mike Sheehan, CBCP, has a Bachelor of Science Degree and 18 years of disaster recovery experience. He has successfully instituted recovery procedures in dozens of actual emergencies, such as fires, hurricanes, explosions, and floods. He is a key member of Advanced Software Products Group, Inc., responsible for business continuity and data recovery planning, at their international headquarters in Naples, Florida. ASPG sells data recovery software for accurate/speedy back-up/recovery of files.