The recent unthinkable terrorist attacks have propelled disaster to the forefront of our nations consciousness and forced business leaders to confront anew the question, “What If …?”
I suspect that replies engendered by that simple two-word question have been shocking eye-openers to executives, especially the men and women responsible for IT infrastructure.
Ive marveled over the years at how otherwise-prudent executives remained somewhat indifferent to discussions of the consequences of disasters. In fact, my colleagues and I often refer to disaster recovery planning and business continuity as the ugly stepchild of IT, relegated to the back of a long line of more attractive siblings, such as new hardware and upgraded software.
Tackle the Rudiments
The attacks on the World Trade Center and the Pentagon were so extraordinary as to defy the imaginations of the very best disaster recovery planners. Of course, disasters of that magnitude are not where CIOs and other IT professionals should be directing their attention first. Instead, they need to tackle the rudiments. Doing so will provide the foundation for virtually any contingency.
Consider, for instance, the case of the deep fryer. A conscientious company enthusiastically backed up its data on a daily basis, a practice that is a tenet of data recovery. But when the deep fryer in the cafeteria, located one floor below the data center, erupted into flames, the backup tapes were nonetheless destroyed, along with much of the data center. Why? Because the company failed to secure the tapes at an offsite location – another tenet disaster recovery.
Experience has shown that asking, “What If …?” is the best way to guard against having to ask, “Why Me?” As exemplified by the deep fryer anecdote, the solution is often simple. Here are some things to remember when developing a business continuity strategy, keeping in mind that disaster recovery is process-oriented – not technology-centric.
Write It Down
Develop a business recovery plan, a process that uses documented, predetermined procedures and tactics to restore mission-critical business functions and avert unacceptable loss.
Understand Vulnerabilities and Risks
This requires a risk assessment, a process for analyzing the probability of a given problem, the current business functions that might be affected and the likely impact on the organization, based on the length of the outage.
Determine the amount of time the company can afford to be out of operation, as measured in revenue as well as intangibles. An outage of more than a few minutes is unacceptable on an airline reservation system, for example, while a distributor may survive for several days. The amount of time you can afford to be down will determine the next step.
Finalize Your Strategy
While the amount of allowable downtime will determine the strategy for the most part, it is no longer as simple as choosing between “hot-site” and “cold-site.” Todays environments and capabilities provide a number of permutations of the basic options. Choose the one(s) right for you.
Vital Records Review/Plan
A non-IT departmental self-assessment to ensure that a disaster would not result in the loss of business-critical information, regardless of the recovery strategy chosen.
Ongoing maintenance and updating of plans is essential. The plans should be regularly tested by trained staff to ensure that they work and that they provide appropriate protection.
Finally, the very heart of recovery planning is balancing the cost of protection and recovery with risk. This principle must be constantly applied during every segment of the recovery planning process to ensure that you invest only in what is essential for protection and recovery, and no more.
Michael Symmers is a business recovery specialist in Accentures outsourcing unit.
If youve got crisp, original thinking on a cutting-edge topic, we will print your views on the Interactions page or on our Web site. E-mail column proposals to [email protected] and [email protected].