Spring World 2018

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 30, Issue 4

Full Contents Now Available!

DRJ Blogs

DRJ | The premiere resource for business continuity and disaster recovery

Disaster Recovery Planning: Who Needs A Seat At The Table & Why

Whether you’re implementing or just refining your disaster recovery (DR) process, one of the most important things to consider is your team. Depending on the people at the helm, your efforts will either be thorough and coordinated, or incomplete and disjointed. To start off on the right foot, you’ll need to assemble a knowledgeable group whose areas of expertise cover all the necessary bases.

Below is a list of roles that, in our view, are instrumental to the success of disaster recovery planning. Note that in your organization these roles may not be clearly defined yet (there may not be anyone who currently holds the title Disaster Recovery Coordinator, for example), but these roles should be assigned before the process begins.

Key Roles & Responsibilities For The Disaster Recovery Planning Team 

Your disaster recovery planning team should consist of the following:

Management Steering Committee

Executive team members who oversee the process are involved at a high level, which means they may not technically need a seat at the table—but they should be standing in the room. They play an important role when it comes to approvals for things like budgetary issues, policy considerations, strategic direction, and overcoming roadblocks or intradepartmental issues. These individuals might be part of an existing business continuity oversight committee, or form a separate disaster recovery steering committee, depending on the organization.

Disaster Recovery Coordinator

The disaster recovery coordinator is an individual from IT who manages the overall recovery in the event of an actual disruption. They are typically also a member of the emergency management team. The disaster recovery coordinator is responsible for setting recovery plans into motion among the team, and coordinating those efforts as they progress. They also help facilitate resolution of problems encountered along the way, and remove roadblocks that slow the process down.

Business Continuity

Business continuity and disaster recovery go hand-in-hand. The business continuity “expert,” so to speak, fulfills two important roles on the team:

  • To ensure that IT recovery plans align with business needs. Business needs are determined by a Business Impact Analysis (BIA), which is completed before disaster recovery planning is set in motion. If you haven’t done a formal BIA, an informal one will do in the short term, so you can move forward with the DR process. But it’s important to realize that a BIA in some form is critical to DR; without it, you have no clear goals and your efforts will undoubtedly fall short of meeting real recovery needs. The business continuity representative bridges the gap between business and IT to ensure that critical business needs will be met through IT recovery plans, and that any gaps in alignment are addressed.
  • To ensure that the necessary components of business continuity are present in the disaster recovery plans. While IT brings technology expertise, IT participants may not be well-versed in basic business continuity essentials involving emergency or crisis management—how to report information during an event, contact lists for key personnel, vendor information, etc. All of these components pave the way for a smooth and effective recovery process.

IT Infrastructure

Because their areas of expertise apply to the building blocks of an organization, these team members do the lion’s share of the actual recovery work. Each of the infrastructure representatives are responsible for identifying strategies and solutions that will recover critical operations in their areas of expertise, implementing them, and testing them to ensure that they work. The strategies they design must meet the requirements for critical business units as outlined in the BIA. You’ll want three individuals from IT infrastructure on the team—one from each of the following areas:

Servers/Storage/Databases

  • Servers—Almost all technology runs on some type or server. This person should be intimately familiar with the server and operating system infrastructure along with the backup or replication technologies needed to meet the recovery needs. With the increased use of virtual machines, the implications of the differences between the use of physical and virtual environments must be addressed and understood.
  • Storage—Data protection or replication is a critical recovery component. It is now often the major component of the recovery strategy and capability. In most organizations, the storage used in the processing environment is not completely local to the servers (whether physical servers or the server running the virtual environment).
  • Database administration—Databases house the data that applications depend on. This is an architecture unto itself; databases may be shared across applications or run on individual or shared servers. Depending on the organizational structure, the database admin may be part of the infrastructure or application team. No matter the organizational setup, database administration and the impact that the data protection strategy may have on the data and database recovery requires participation from this area.

Networks/Telecom

  • Networks—Nothing works without firewalls, servers, storage, etc. This person should be intimately familiar with the network infrastructure of your organization and be able to take charge of recovery strategies related to it.
  • Telecom—Disruptions often affect voice communication infrastructure, making it difficult for employees to communicate inside the organization, as well as with external business partners and customers.

IT Applications

Depending on IT infrastructure recovery plans and the extent of the actual disruption, the individual(s) responsible for applications may play a greater or lesser role in recovery. But they do need to understand, based on how the infrastructure team proposes to restore the environment, what additional application tasks may need to occur—i.e., changes to app configuration and settings, data consistency, or application integrations. They should work closely with the infrastructure representative to identify recovery steps and design an appropriate plan that meets the needs of critical business units.

An optional but useful addition to the team:

Advisors From Critical Business Units

Though it’s not a necessity, you may want to invite representatives from critical business units (those who participated in the BIA) to advise on disaster recovery planning efforts as needed. Rather than presenting the team’s plan as a done deal to business units, it’s helpful to discuss the plan earlier in the process to gather input. How will business processes be impacted by  your proposed recovery plans? Is your plan feasible, or will it require the business units to create additional workarounds? Sometimes DR teams may propose alternate recovery methods that impact the requirements stated by the business unit; input from the business units is a must. For example—“We can recover this in four hours, but if you can wait six hours we can save $500,000. Will that work?” This is a good strategy for integrating IT and business, and boosts the likelihood of the plan’s overall success.

Final tips for disaster recovery planning…

*While you should be focusing on recovery plans for critical business units, it’s a good idea to at least consider possible strategies for less critical applications. In a real event those processes and systems will also have to be restored, so it’s a good idea to have some idea of how you’ll go about doing that.

*Many organizations overlook the integration of applications when it comes to recovery—for example, the integration of human resources data with a project management tool, or the flow of financial data from a purchasing tool to your finance application. It is often assumed that integrations will work because individual applications are up, but is that really the case? And don’t forget about data synchronization; how will related applications with varying levels of backup be brought back into sync? Consider app integration in your plans to ensure a smooth recovery all around.

Having the right people on your disaster recovery planning team is a necessity for any business continuity program; the next step is enabling the creation of business recovery plans that actually work. With the combined knowledge and expertise of the above-mentioned individuals, you’re well on your way to being prepared for anything.

Michael Herrera is the CEO of MHA Consulting, a leading business continuity planning and information technology consulting firm, and the founder of BCMMetrics, which specializes in business continuity software designed to aid organizations in developing and executing business continuity programs. Richard Long is a Senior Advisory Consultant and practice team leader for Technology and Disaster Recovery related engagements at MHA. 

Records Management for BCP
OWASP Top 10 - Combating Data Security Breach in W...