Just as people in general tend to avoid detailed discussions about death, IT people tend to shy away from asking business users what they would lose if specific IT processes became severely compromised. A smart recovery strategy must uncover such specifics, however, in order to adequately allocate resources.
Simulations of recovery scenarios (war games) are rarely pushed far or fast enough. At the global bank, technologists weren’t ready to manage the recovery because they hadn’t rehearsed that scenario. The goal of conducting war games, which are relatively low-cost, is rapid resumption of operations with the least impact on customers, revenue, cost and time.
In addition to a chief risk officer, it may be helpful to appoint an IT risk ombudsman, a respected senior manager to whom IT staff can raise concerns without fear of personal exposure. The ombudsman should be a veteran technologist with a deep understanding of the whole IT architecture, and be able to spot problems without agendas or affiliations.
Robustness means more than the number of backups; it includes labor availability and partner capabilities. For example, a top credit-card processor’s call centers were shut down after a hurricane cut off the staff’s access to clean water, but the company was able to shift call volumes to outsourced centers.
Instead of rebuilding application by application, identify how each application maps to the technology platform and related (usually integrated) applications. Fix them in concert for faster results.