by Dawn Warner
The first step to understanding disaster recovery (DR) and business continuity (BC) solutions is to understand the scope and definition of the word “disaster.” When defining the word disaster, people inevitably take into account only natural disasters such as hurricanes, earthquakes, or tornadoes. However, the term disaster, in regards to business continuity, is defined on a much grander scale and can involve a variety of different occurrences, natural or unnatural, internal or external, and commonly not thought of or considered as devastating to a business.
According to recent statistics, the number one source of disruption to a business, causing significant downtime and revenue loss, is a power outage. Second is a problem with computer hardware, with third and fourth listed as telecommunications and software problems, respectively.
Figure 1 shows the major causes for disaster recovery services. (1)
Disaster may be caused by carelessness, negligence, bad judgment, hurricanes, earthquakes, floods, or tornadoes. As seen in Figure 1, 72 percent of U.S. organizations have experienced significant interruption and loss of revenue caused by power outages, with 52 percent experiencing computer hardware problems. The size and scope of these events have caused business executives to rethink their business continuance strategies and consider increases in capital expenditures for disaster recovery services. If any of these events occurred and business was affected, how long would the business be able to remain out of production without suffering damaging revenue loss or causing the business to close down permanently?
Disaster planning is imperative precisely because a business likely will die if a workable disaster plan is not in place when a disaster strikes. A study of companies that suffered a catastrophic data loss found that 43 percent never reopened, 51 percent closed within two years, and only 6 percent survived. In the 1993 World Trade Center bombing, 50 percent of the businesses without a disaster recovery plan were out of business within two years. (2)
In any disaster, there are various losses to consider:
- Physical facilities (destroyed buildings, work spaces, machinery, computers, inventory)
- Access to facilities (condemned buildings)
- Information (corrupt disk drives, damaged computers)
- Access to information (no remote database access)
- People (production, support, managers)
There should be two major segments to a DR plan, with one segment covering the daily “back office” business operations and the other being the “supply chain” facility operations. The plan overall should address all components needed to support the business when a disaster occurs. All areas need to be analyzed. Every physical, software, hardware, and human resource element, as well as every business process must be studied and addressed to ensure continuation in an event of a disaster.
A “supply chain” analysis is the second segment, which assists in addressing the recovery of the actual physical assets of the company. This part of the plan addresses issues such as how to handle unavailable manufacturing and storage facilities, order entry systems, shipping, and accounts payable/receivable. Businesses also must look at manufacturing operations and informational databases. The informational database should house all pertinent information relating to every aspect of business, from updated employee, customer, and supplier lists to detailed equipment and product specifications. It should cover anything and everything that pertains to the continuity of the business in case the facility is unable to be occupied.
Once the DR plan has been developed, it is extremely important to continuously review and evaluate the plan. An out-of-date plan is almost as dangerous as not having a plan at all. Today, many customers demand that their business partners have a continuity plan as part of the contract between them and that it be reviewed continuously. Any major changes, such as large employee shifts, increases in network infrastructure, or the addition of sub-units/departments, should trigger a plan review.
A DR/BC plan should encompass all aspects of a business, including supplier and customer networks. It should provide a solution that will account for and ensure the recovery of all business processes, provide an alternate workspace environment for employees, and facilitate ongoing operations within a timeframe that is consistent with the needs of the business. The monies invested now in a DR/BC plan could literally be the difference between sinking or swimming in the days and weeks after a disaster.
Footnotes
1 Rough Notes, July 2005 – Business Interruption Insurance – Death Protection for a Business.
2 Business Continuity Planning for IT Systems, University of Texas.
Disaster Recovery Checklist
- Select a coordinator to develop plan objectives, a methodology and an overview.
- Identify critical business processes and systems.
- Formulate hardware system and end-user recovery objectives and identify critical network operations.
- Assess threats such as fire, environmental contamination, physical security and software security.
- Create a records-retention procedure.
- Implement a back-up and storage strategy.
- Define and test storage, back-up, and application systems.
- Identify an alternate site for end users to work out of and contract with provisioning vendors.
- Develop network recovery and relocation strategies, as well as replacement options for hardware and service.
- Implement an alternate site that is engineered to deliver the recovery time and recovery point objectives.
- Define recovery teams and develop a communication plan.
- Publish the disaster recovery plan to include the recovery procedures.
- Annually test the disaster recovery plan.