To achieve an effective recovery from a catastrophic event, it is contingent upon a company to implement as many proactive measures as possible prior to its occurrence. Ideally, this will mitigate both the company’s risk factor and the negative impact an unavoidable problem could create.
Prudent risk management takes into consideration those measures that, when implemented, can best manage and ameliorate the risk factors with which the company is already familiar. These factors may include:
Back-up strategies that reflect the critical nature of the data
Comprehensive knowledge of co-dependencies with other enterprises that may be affected
Thoughtful consideration of geographic considerations and risks (hurricanes, ice storms, flooding, etc.)
Knowledge of the available supporting infrastructure, i.e., telecommunications networks, power grids, etc., and existing redundancies
Operational risk management accounts for all known, controllable, and hopefully preventable factors, as well as other areas of a business continuity plan such as crisis management planning and recovery strategies. It also deals with the development, implementation, and administration of procedures and the resolution of critical necessities that, despite a firm’s best efforts, must be considered when an incident occurs. Once an event happens, all delineated process steps become critical to achieving maximum effectiveness and overall success. Without sound operational risk management, it is unlikely that the rest of the plan will work. Operational risk management ensures that those factors that are idiosyncratic to an individual business have been properly considered and addressed.
Still, there really is no single, “perfect” disaster recovery/business continuity plan. Every company needs to customize its own plan; one that makes allowances for its own set of corporate factors that are inherent to its success. Therefore, disaster recovery and business continuity planning has to be tailored to address those issues that have the greatest impact on an individual business. For instance, a Web hosting company may only need to recover technology, telecommunications and a few operators while a catalog company requires the physical space and equipment to recover the duties of hundreds of telephone operators and CRM personnel.
Generally, there are five major considerations that should be addressed when developing a recovery plan:
1. Make sure all critical, corporate data is backed up, offsite, and that the company’s technology is protected
Recovery of customer information, history, or payment records cannot be implemented if the data is lost. Make sure an automatic backup mechanism is installed on the company LAN. If the business is smaller in size, make sure each PC is backed up at timely intervals. The time saved recreating or trying to piece together critical company information may save the business.
Maintain a complete record of the firm’s technology configuration for potential replacement. The most effective way to ensure the fastest recovery possible is to have a contract in place with a disaster recovery specialist who can provide the requisite equipment and technology at a moment’s notice. Placing the company’s trust and dependence in the capabilities and inventory of the local superstore following a disastrous event is risky, at best. That retailer may be confronting the same problems facing your firm, or lack inventory and fall short of what you need.
2. Cross-train critical company employees
It is imperative that more than one company employee is capable to implement company critical functions. Relying on a single individual can compromise a recovery effort because that person may not be available when his/her services are most needed.
Also, it is a sound practice to have a succession plan in place for all critical personnel; whether these individuals are the CEO or the person who manages the daily back-up procedures. Make sure the succession roster includes knowledge leaders, “keepers of the key,” star performers, and the person with the supplier phone list. It is more than prudent to designate several high-level employees who will have the authority to make critical business and management decisions about business operations, expenditures, staffing, etc., so the firm can recover smoothly and quickly, no matter what.
3. Communication is key: Be able to contact your employees after a disaster
When developing a recovery plan, always remember to take into account that phone lines and other critical communications infrastructure may be down or personnel may have to be evacuated. Keep up-to-date records of employee cell phone numbers and “backup” numbers.
It is also important that company management be pro-active in communicating the firm’s ongoing status and situation to employees. Workers might assume a business is “closed” if they view scenes of devastation on TV. Consider several communications options such as broadcasting a message to personal e-mails or even over local radio.
Make sure a mechanism is established so employees can contact management after a disaster (via a hotline, Web page, etc.). This way they can touch base about their responsibilities and what they need to do, especially if they can’t be reached directly. Keep them informed about the event and the firm’s ongoing recovery efforts.
Also, it is a good idea to designate several individuals as the company’s authorized representatives for dealing with the media. Make sure they have been adequately prepared to present the firm’s efforts and situation in the best light possible.
4. Some infrastructure recovery may be out of your hands so plan accordingly
If an enterprise’s recovery plan entails communications issues (i.e., customer contact, data transmission, etc.), anticipate it may take days or weeks before the physical infrastructure can be restored. Plan ahead and make allowances. Consider satellite and wireless options as effective alternative modes of communication.
Also, make sure to implement similar provisions for the company’s power requirements. Consider generators as alternative power sources. Still, it is incumbent upon management to procure the required equipment, fuel, and peripherals. Have them on site and available, ahead of time. Once a disaster strikes, it may be impossible to find the required resources. Remember, there are vendors who can provide this type of infrastructure. Otherwise, consider local hotels and/or conference centers as alternatives.
5. When planning, always remember that every disaster has a human impact
When developing contingency plans, keep in mind that company workers may have suffered personal losses of home, property, or may have incurred injuries to themselves, family members … or even worse. If this is the case, they may not be able to return to work promptly. Organizations should consider such potential problems and incorporate suitable allowances when developing staffing requirements into recovery plans.
It can also be beneficial to plan to be a good, socially responsible corporate neighbor whenever possible. If the company can provide a needed service that will assist your local community in time of crisis, then do so. If it will help the local community to rebound from the incident, it will go a long way to build goodwill for the business.
When it comes to the actual recovery plan document, there are a few key elements that companies should consider:
- Less is more: Although a comprehensive plan that accounts for all eventualities is a corporate need, having one that is two-feet thick and can’t be understood by anyone, except the author, is useless. Clear, concise procedures and plans make more sense, are easily understood, and are far more effective.
- Involve the recovery team: The appropriate corporate personnel and/or department experts should write each relevant section of an effective recovery plan. All team members then should review them since a single author generally does not intimately understand every aspect of the business.
Distribution: Every employee who is expected to actively participate in the company’s recovery after a disaster must have their own copy of the plan. They should be fully aware of their roles and responsibilities should a disaster occur. This is true for the CEO as well as the call center agent.
Testing: Have all employees read the document for accuracy and practicality. Conduct a walk-though and regularly schedule annual tests to determine the plan’s effectiveness and implement modifications, as needed.
In today’s world of round-the-clock service, Web-based applications, and reliance on outside infrastructure, no organization can afford to be without a recovery strategy. Regardless of size, an effective disaster recovery/business continuity plan is simply a matter of survival.
Bob Miano is CEO of Agility Recovery Solutions, the premier provider of portable on-site recovery and business continuity solutions across the United States and Canada. Formerly GE Capital IT Solutions Disaster Recovery Services, the company has operational facilities in Toronto and Atlanta, and inventory in 35 states and two provinces. For more detailed information, please visit www.Agilityrecovery.com or www.agilityrecovery.com/direct/.