Organizing a Contingency Plan For Success
- Published on Monday, 29 October 2007 22:14
Developing a Contingency/Disaster Recovery Plan requires developing questionnaires and conducting interviews with virtually all departments in the organization to gather information. The result of this effort is stacks and stacks of information.
One of the main questions faced by the Contingency Planner is how to sort through all this information to ensure that everything has been addressed and how to organize the information into a workable plan?
Experience has shown that an effective plan must contain all the necessary information to activate the Plan, assess damage, implement a predefined recovery strategy, monitor the recovery process, and restore business as usual. That seems very straight forward and should be able to be done with all the accumulated stacks and stacks of information. Just put it into binders and distribute it to the Recovery Team members.
The problem is that the Plan must also be easy to read and understood by all levels of the organization. Management, the Recovery Team members and employees all need to understand the Plan.
Everyone should know the need for recovery planning, the recovery strategy, what needs to be recovered and in what time frame.
In addition, they all need to know who is responsible for the various activities, and what resources are needed. However, only specific teams need to know how to carry out the recovery activities assigned to them.
Therefore, the Plan, (that is the formal document that is distributed to Management, the Contingency/Disaster Recovery Organization and used to communicate to all employees), need only contain the following information.
The WHY (need for recovery), the WHAT (critical processes and resource requirements), the WHEN (critical time frame), the WHERE (recovery strategy), and the WHO (recovery team members and support organizations).
Of course the recovery cannot be accomplished without the HOW information. That is the detailed procedures and information required to carry out the actions identified and assignead to a specific recovery team.
This information should not be in the formal Plan. It is not germane to the Plan document itself, but is essential for carrying out the recovery. Putting all this detailed information into the Plan document makes it confusing, hard to understand and creates a maintenance nightmare.
Each recovery team needs to understand their role in the recovery process. They also need to understand what the roles of the other teams are and how they interact with each other. This provides a cohesive and effective Plan.
The Plan must be easy to maintain. The Contingency Planner is the most likely person to be responsible for maintenance of the Plan. However, they cannot and should not do it alone.
The Contingency Planner oversees maintenance. Each recovery team shares in this responsibility in that they are individually responsible for ensuring that the detailed procedures and information necessary to carry out their respective team actions are in place, and kept current.
The Contingency Planner ensures that this is done by developing and communicating a maintenance program that assigns responsibility and frequency of reviews.
In addition, the Plan must be able to be tested and audited. The Contingency Planner is responsible for ensuring that the Plan is tested and he conducts audits.
The Planning process is never complete. Testing the Plan will more than likely find problems that need to be resolved. This requires changes to the Plan or maintenance. The changes are communicated to the recovery team(s). That’s training. Then the Plan is tested again. That’s more training, possibly uncovering more changes. On the other hand, changes in processes or the business require a review of the Plan, resulting in changes that need to be made, communicated to the teams and then tested. The life cycle of maintenance, training and testing continues.
This being the case, lets try to make the process as easy as possible without sacrificing the quality of the Plan.
The first step in developing a Contingency/Disaster Recovery Plan is to determine what information should be in the plan, and how this information is going to be organized.
The format presented here provides all of the above and has a proven track record.
The size or complexity of the organization, nor the type of business has affected the basic concept. However, it must be noted that the content of each plan is customized for the specific organization thus making each Plan unique.
The concept of the format is very simple.
The entire plan consists of two distinct but supporting documents.
The first, I call the Plan (that is the document that is distributed to the Contingency/Disaster Recovery Organization).
The Plan contains only the WHY, WHAT, WHEN, WHERE, and WHO. The second, I call the Detail Reference Material that supports the Plan or the HOW information.
This information is compiled and maintained at safe and secure offsite storage location(s).
The Plan document consists of five sections as follows:
Section I - Introduction to Disaster Recovery
The intent of this section is to provide the background as to why the recovery plan is needed, identify the purpose, objective, and scope of the plan.
In addition, this section states any assumptions in order for the Plan to work. It should also define a disaster, show the reader how to navigate through the Plan, describe the contingency/disaster recovery organization or how the teams are comprised.
In addition, this section explains how the plan is maintained, tested, as well as how training is conducted. Plan distribution is also covered here. Average length of this section should be 7 to 10 pages.
Section II - Plan Overview
This section should provide the reader with a brief idea of the recovery strategy adopted by the organization, a narrative of the criticality of processing, the recovery time frame(s) and provide a management check list of major actions that may take place during a disastrous situation, including the restoration activities and returning to normal. Average length of this section should be 8 to 12 pages.
Section I and II when complete comprise a Management Summary of the Plan and can be used to brief management and provide a general overview of the Plan to the recovery teams and all employees.
Section III - Contingency/Disaster Recovery Organization Responsibilities and Activities
This section should describe the disaster recovery teams’ responsibilities and the detailed actions they perform, to assess damage, activate recovery procedures, monitor recovery progress, as well actions required for restoration and returning to normal processing at a permanent site.
These actions are one or two line statements with references to other parts of the Plan as appropriate.
Average length of this section should be 15 to 30 pages depending on the size of the organization.
Section IV - Notification Procedures
This section is used to identify all the areas that need to be notified and for what reason. It is extremely important that this section be complete and kept current. It contains names, addresses, phone numbers, and other pertinent information (i.e., site ID’s, contract numbers, etc.) necessary to activate the Plan and begin assessment, and recovery operations. Average size of this section should be 20 to 35 pages depending on the size of the organization.
Section V - Reference Material (appendices)
In Section III all the actions that may need to be taken are identified and assigned to one of the teams, but the detailed procedures on how to carry out the specific action is not included.
This section contains index listings of the information and detailed procedures required to support the actions of the recovery teams. This section contains only the titles and the offsite location where they are stored.
The actual detailed information and procedures for each recovery team would be in separate Contingency/Disaster Recovery Team Books located in safe and secure offsite storage location(s). Average size of this section is 20-30 pages depending on the size of the organization.
Note: This section would not contain the bulk detail of information and procedures. It would, however, provide an audit listing of them, the areas responsible for updating, and the location(s) where they are kept. The offsite information is the detail on HOW to perform the recovery actions.
The Plan format provides WHY you need to recover, WHAT needs to be recovered, WHEN the recovery needs to be accomplished, WHERE the recovery will done and WHO is involved with the recovery process.
The Plan format also provides a listing of the HOW procedures in an organized manner, but not the detailed instructions.
Those are in the actual Detailed Reference Manuals stored in an Offsite location. So all the stacks of information accumulated through the questionnaires, and interviews are used, but it is assembled so the appropriate team that needs it can use it.
When using this format you will be using references to other Sections and Subsections of the Plan.
Therefore, a good numbering scheme and one that can be used as a standard for all Contingency/Disaster Recovery Plans in your organization should be used. i.e., 1.0, 1.1, 1.2.1, 126.96.36.199, etc.
R. J. (Jim) Terry, CDRP, has been in MIS for 29 years. He works for Dyncorp in St. Louis, MOPrinted In Spring 1995