IT Focus Area: BC/DR
March 19, 2012
4 Things Organizations with Effective BC/DR Programs Do Well
Business continuity and disaster recovery (BC/DR) is the process of helping companies prepare and quickly recover from disruptive events, so critical business functions will be available to stakeholders who need access to them. With information technology playing a bigger role in today’s always connected world, BC/DR can no longer be ignored, because even the smallest events such as a one-minute power outage can mean potentially big losses to certain companies in certain industries.
After working with hundreds of clients, I have found there are four things that companies with effective BC/DR programs know and implement consistently. The purpose of this article is to challenge your thought process about BC/DR programs and start a discussion on how your organization can become even more effective contingency planners.
So what do organizations with effective BC/DR programs do well?
1. They begin with the end in mind.
Organizations that have a clear vision of where they want to go and how they plan on getting there are usually the most effective. The challenge is how to match the vision of a BC/DR program with the overall company’s vision. To start, organizations typically ask four important questions:
1. What is the vision for our business continuity program?
2. What will it look like three to five years from now?
3. Will the recovery strategy be the same?
4. Which technologies can we use to reduce recovery windows and provide better service to our external and internal clients?
It is unlikely that there will be only one step between where an organization is today and where they want to go. Beginning with the end in mind means identifying where your BC/DR program should go and developing a roadmap to get there. In this context, a roadmap should depict a series of logical portions of the overall effort and their interdependencies. Additional detail and documentation should describe the tasks, resources, target dates and responsibilities.
2. They are proactive.
Too often, BC/DR programs are only enhanced following a disruptive event or an audit. Don't wait for something or someone to tell you that your BC/DR program needs to change. Anticipate the possible shortcomings of your plan, in light of the expected—and unexpected—incidents that may occur. Find the flaws in your plan and fix them before an event occurs. Review the plan from the perspective of the most critical auditor or examiner.
3. They understand BC/DR is more than a technology issue.
A fundamental principle about contingency planning is that the concept is really a business, not a technology issue. The technology components are tools to support the business objectives. Therefore, it is critical to understand the business environment that your company operates in and all current and planned regulations.
Be aware of the threats and risks that exist to your facility, technology and business processes. Take appropriate actions to mitigate, assign or accept those risks. Research and understand the requirements of applicable laws and regulations that have oversight of your BC/DR program.
Be aware of the agencies that you will need to interface with during an event, and understand their expectations and requirements when they arrive at your facility. Recognize that public sector agencies would be interested in participating in exercises and drills with your organization. Develop a strong relationship or partnership with them prior to an emergency event. Involving them in your exercises will provide a more efficient and expedient recovery process, when it matters most.
Be aware of best practices in business continuity, disaster recovery and incident management. Applying these best practices will increase the viability of your program and, ultimately, enhance your company’s shareholder value. Be attentive to recent disasters and disruptions. Learn from their mistakes. History can be a great teacher.
Understanding the larger view of the business environment that your company operates in, learning from previous experiences and applying best practices will be helpful in the long run.
4. They are prepared for the “real” recovery.
It may not always be possible to conduct a real test without negatively impacting your company’s production processing or the workflow of business operations. However, unless your company exercises the plan the way you would try to recover from a real outage, you may not be as prepared as you believe you are. It is best to utilize realistic scenarios that match the vulnerabilities your company faces, as much as possible. Applying this approach will prepare your organization for an unplanned event. Exercise as much of the plan as you would need to activate during the incident. Oftentimes, many recovery exercise programs are only exercising a portion of the plan on any given test, not the entire program.
When a disaster occurs, you should be able to execute all aspects of the plan at the same time. Will you truly have all the resources available simultaneously? Will the resources available be able to perform the full load of work in the same amount of time that they performed a portion of the work during the exercise? For example, it is not uncommon for organizations to send two or three IT staff to the recovery site and restore 10 servers within six hours during a test. That same organization may have a recovery time objective (RTO) of less than 10 hours for more than 100 servers—and only two additional technicians. Assuming there is no provision for additional resources, even with no problems occurring, such a goal is probably unrealistic.
To ensure the recovery timeframes can be met, work toward exercising as much of the plan as possible, simultaneously, because that is what you will have to do during a real event. Stop preparing for the test and start preparing for the real disaster by reducing exercise preparation windows. Chances are you will not see the power outage, hurricane, train derailment or the fire in the adjacent building coming 12 weeks in advance. However, so many organizations take six, 10, 12 weeks or longer to prepare for such an exercise. Every test can’t be completely unannounced, like many business disruptions are. Are you truly preparing your company for a real event with a two-week notice?
Two other factors in being truly prepared are the training and awareness program and the procedures for updating a plan. There is a direct correlation to the level of awareness among your employees and suppliers of your recovery plan and their responsibilities as part of the plan, and the effectiveness of the recovery effort. Your training plan should include regular reviews of the plan, along with dialogue, to ensure every stakeholder truly understands the processes and their roles and responsibilities for a disruptive event. And don’t forget suppliers in the training activities as well. Keeping the plan current would appear to be an obvious requirement to being prepared for an unplanned event. How prepared would you be if the contact information or procedures to follow were outdated in the plan?
An Effective BC/DR Program Is More Than a Checklist
Contingency planning is not just about following a checklist of preparation activities, but also about being on top of things before the impacts occurs. Making sure your company has an effective BC/DR program is more than the framework—it is about truly being prepared for a real event.