DRJ's Spring 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 31, Issue 4

Full Contents Now Available!

Unannounced business disasters happen any time, anywhere and do not need to be the magnitude of a hurricane to cause serious problems. In fact, most disasters are caused by spontaneous mishaps in or around the work environment. Disasters can be something as simple as a lost file that was not saved or as large as a complete network failure. Consider some of these unassuming, yet potentially damaging situations:

- An employee is cleaning out the cabinets of a workstation and throws out installation backup disks.
- The only copy of the strategic business plan scheduled for presentation in the morning to venture capitalists is accidentally deleted.
- The building's fire sprinkler system shorts out -- water fills the inside of the CPU.
- A new employee in the Computer Operations department inadvertently erases critical files on servers containing web-based transactions, customer information, and the Call Center system files that control the automated telephone systems.
- A software developer discovers that hackers have compromised the company's new e-commerce on-line transaction processing web site.

Scenarios such as these can negatively impact productivity and bottom line profits. In the emerging area of e-commerce, the instantaneous retrieval of stored information is demanded 24 hours a day, making a high availability infrastructure a must. Organizations today can no longer afford to run their operations without a business continuity or disaster recovery plan.

What Could Possibly Happen?

Major disasters are much less likely to occur than unfortunate accidents such as described above; however, it is not uncommon to see situations such as fires, severe storms, or social unrest. Unanticipated weather conditions, like the recent typhoon that hit the Philippines and the scorching temperatures in Europe and Turkey this summer, can shut businesses down for extended periods of time. Similarly, in the U.S., major power systems have failed due to frequent variations in storm patterns causing blistering heat waves and raging storms.

Periodically, bombings in areas such as Africa or the Middle East have resulted in power outages and disruptions in communication systems. Computer viruses and equipment failures affect networks worldwide regardless of the temperature or location!

A Business Continuity Plan can help prepare for the unexpected extreme disaster as well as daily interruptions. Every business is unique and circumstances will vary, so it is essential to take the time before a disaster happens to assess operations to determine what level of Business Continuity Plan is required. All firms need some type of recovery plan regardless of the organization's size. It is just a matter of defining what is critical for business survival and what type of occurrences can occur.

What Is a Business Continuity Plan?

A Business Continuity Plan is a set of processes developed for the entire enterprise, outlining the actions to be taken by the IT organization, executive staff, and the various business units in order to quickly resume operations in the event of a service interruption or an outage. By establishing a firm list of activities to be followed, organizations can minimize potential losses incurred by downtime, reinforce their competitive advantage, and protect their reputation, which can mean life or death in today's highly competitive markets. The Business Continuity Plan should be strategically developed involving employees at all levels within the company. Once developed, the plan should be implemented, rehearsed, and reviewed on a regular basis to reflect the dynamics of the work environment.

What is Required to Set Up a Plan?

The first step to any change in a business process is to solicit and obtain the support of the owners or top executives. Without this level of support, it can be difficult to ensure that the plan is followed and maintained. Senior management's leadership and endorsement will provide credence to the plan and will promote participation from those who depend on the information assets of the company.

As with any successful project, the plan should be broken down into manageable phases to ensure that all action items are appropriately identified, evaluated, and implemented. The phases outlined below can assist companies in determining their needs and establishing an infrastructure suitable for the size and diversity of their unique organization. These processes are intended to provide a general guideline on how to go about developing a Business Continuity Plan.

Phase 1: Assess Business Needs

A thorough analysis of the enterprise should be conducted to determine which functions and business processes are critical to daily operations and which would be severely impacted by any type of interruption. This analysis should identify and outline all tangible costs such as lost revenue, labor hours, market share, and potential penalties or fines. Intangible costs should also be factored into the analysis. Examples of intangible costs might include the impact of lost credibility, deterioration in customer service, or any other activity that could negatively impact the perception of the organization. Although difficult to define, intangible costs can hugely impact profits if trust, functionality, and reputation are in question. Once action items and costs have been identified, they should be prioritized based on business requirements. It might also be helpful to try to answer some questions about how operations would be impacted without a business continuity and recovery plan.

- What type of interruptions might impact customer relationships and how will these affect public relations?
- Will any of these disruptions influence customers to search for services elsewhere and, if so, what will be the impact on revenue?
- Could the business be run manually, without computer systems, to process data and transactions for any period of time? If so, what would it cost?
- How much of a financial loss can the business sustain?

Answering these questions can provide an even broader perspective and can assist with assessing the size and scope of plan required.

Phase 2: Recovery Strategies, Plan Design and Framework

This phase involves evaluating various recovery strategies and determining the appropriate methods to adopt based on a defined list of potential disasters or scenarios. Recovery programs might be something as basic as periodic backup procedures for disks or smaller storage devices. In certain circumstances, it might be critical to ensure immediate data retrieval. This could be accomplished, for example, by establishing an identical (mirrored) network at a remote location. Depending upon the type, duration, and scenario, one recovery strategy may be more appropriate than another. It is critical that businesses have more than one recovery strategy with clearly delineated criteria. Some of the more common recovery strategy options include data backup through remote mirroring, automatic server failover, mobile data centers, coldsites, hotsites, redundant sites, or any combination. The infrastructure should be made highly available to prevent component failures or outages.

With the vast array of recovery options available, it might seem overwhelming to think about taking on one more task when there is not ample time to handle the current workload. In situations like this, it might be appropriate to obtain assistance from external organizations that specialize in the development of such plans. For example, Hewlett-Packard offers specific services dedicated to helping businesses develop and implement business continuity and recovery plans worldwide. Consultants that work exclusively with these types of programs not only help you create the infrastructure, processes, and documentation, but can also handle everything from the initial analysis through final implementation, including knowledge transfer, training staff, and facilitating rehearsals.

Once the most appropriate recovery strategies have been chosen, the design of the program can begin. It is at this stage that the level and scope of the overall plan should be determined based on the results of the analysis. In some cases, it may not be necessary to incorporate a full-scale backup and recovery plan for each business unit.

Phase 3: Developing the Plan

During this phase, key personnel and business units will be identified and selected to participate in the plan development. Several components will comprise the final plan and should be documented in detail. In order for the program to be successful, the following should be included in the Business Continuity Plan:

1) Hierarchical-structured emergency contact list detailing organizational structure, contact names, and telephone numbers of the people who will be involved in the management and implementation of all aspects of the plan.
2) Names, locations, and telephone numbers of contracted suppliers who will be involved in the recovery during a disaster. This should include a current list of all equipment that will be used and off-site facility emergency contacts.
3) A complete list of local agencies such as police, fire and ambulance services, and hospitals. This list should be maintained in case of major disasters, such as earthquakes or fires, where medical attention is necessary; it is important to have immediate contact with the appropriate parties.
4) Copies of insurance policies and the contact information of the carrier. These should be kept with the overall plan. If facilities or equipment are damaged, this information can help facilitate quick evaluations and expedite reimbursements.
5) An implementation plan and schedule for periodic testing of all activities in the recovery plan. The schedule should include debriefing meetings for all team members for the purpose of measuring and reviewing the results of tests conducted and recommending corrective actions and modifications to the plan as identified.
6) Instructions outlining the systematic activities and business processes that support the backup and recovery effort. These can range from building access procedures to coordinating communications with employees and customers. All documentation should be reviewed by everyone involved in the establishment of the plan, including consultants and off-site facilities managers, and it should be updated to reflect modifications and changes.
7) Audit procedures to ensure that the plan accurately reflects the current operation and recovery processes. Without periodic audits, plans can become outdated and effectiveness reduced when system failures occur.
8) Commitment, support, open communication, and full participation from all members of the planning and implementation team. Remember that this is a team function and, like any activity, it requires time, cooperation, and teamwork.

What Are The Implications of System Failures?

The financial implications of system and network failures can be devastating. Each minute of downtime equates to lost revenue and increased expenses. It also results in increasing the potential for losing critical information directly affecting the financial stability and profitability of a company. Because most sensitive sales, administrative, and production functions have been automated, the unrecoverable loss of data can shut down a business permanently. The figures below provide a few real-life examples of the cost of down time incurred by various industries.
In addition, statistics show that only 6% of companies suffering from a catastrophic loss survive; 43% never reopen and 51% close within two years. These examples illustrate the potential devastation that can occur by not taking a proactive approach to disaster recovery planning.

The Importance of A Working, Dynamic Business Continuity Plan

It is important to remember that the Business Continuity Plan is a living document that will be as dynamic as the organization and will be one of the most important processes incorporated. Without a well-written, rehearsed business continuity and recovery plan, businesses are being left open to the everyday threat of computer viruses, hackers, system and network failures, and natural disasters.

In the past year alone, there have been several memorable computer system disasters that have grabbed international headlines. How could we forget the infamous 'Love Bug' and 'Killer Resume' viruses that spread like wildfire and shut down networks in a matter of minutes? Or how about the computer failure at the National Security Agency that halted the processing of critical intelligence information and is being considered the worst computer system failure in the history of the NSA? And lesser known, but just as damaging, were the heavy rains and floods in North Dakota that damaged several businesses including North Dakota State University.

Disasters, large and small, strike daily throughout the world with minimal notice or none at all.

By incorporating recovery plans in advance, there is a much greater chance of eliminating disruptions and protecting valuable resources.

If you think that disasters will not impact your business, think again. The 'cross your fingers' approach will no longer work in a global economy that is dependent upon information systems. In the forever-evolving Information Age, it would be na've to assume that networks could be reestablished on the fly without any type of advance preparations and backup plan. The time taken now to develop and implement a strong Business Continuity Plan could make the difference between the success or failure of a business. Don't wait until disaster strikes to become educated on one of the most critical business processes today.

Belinda Wilson, CBCP, is the North America Program Manager and Global Service Manager for Business Continuity consulting at Hewlett-Packard. Ms. Wilson has over ten years of expertise in the area of business continuity, recovery, and high-availability, having assisted a number of HP's clients with successful programs. Ms. Wilson is a Certified Business Continuity Professional, has served on the Certification Board of the Disaster Recovery Institute, and is also an instructor for the Disaster Recovery Institute. Ms. Wilson was the President of the Business Recovery Manager's Association and the President of the North America chapter of the Association of Contingency Planners. For more information on HP's services, log into www.hp.com/go/consulting.