Although every business executive understands the importance of a disaster recovery (DR) plan, the difference between having a plan and having a usable plan is like night and day.
A DR plan changes as the business does, is updated regularly and tested once or twice a year. But that level of commitment requires not only sufficient funding but recognition among company leaders of its importance.
"As we get further away from the events of Sept. 11, those who didn't have a catastrophic failure of voice and data don't remember what it was like not to work for three to five days," says Ronald H. Bowman Jr., executive vice president at New York-based Tishman Technologies, a national leader in location analysis, planning, construction and commissioning of 24/7 data centers and technology infrastructure. Clients include Bank of America, Reuters, Merrill Lynch, Morgan Stanley and Bank of New York.
Commitment to business continuity is first and foremost an executive management issue, says Ben Thornton, director of disaster recovery/business continuity planning at Corus Group LLC, based in the Atlanta suburb of Norcross. "Throughout 16 years of consulting experience in this industry, I have yet to see a business continuity program be truly successful without visible and effective executive support," Thornton says. "That requires an executive team that understands the threats and other exposures to their business, and makes a commitment to take action."
Many companies get gung-ho about business continuity when faced with an audit, but having a plan is just the first step. Plans can quickly become outdated as technology, personnel and business lines change, so regularly scheduled plan maintenance and regular testing are essential to ensure team leaders are familiar with the plan and how it relates to the company's overall business.
Interphase Systems CEO John Biglin relates the story of a Fortune 200 company whose DR plan consisted of an elaborate contact list and phone tree, with only one page dedicated to data recovery. That page included a link to recovery instructions on the company's servers, which, of course, would be down.
"The shock on a CEO's face when we tell him his business can't recover [from a disaster] is amazing," says Biglin, whose company specializes in virtualization and disaster recovery plans.
Another common mistake companies make is the belief that mission-critical servers and databases don't interact with other software and hardware that are equally vital to the operation of the business. Authentication may be required to access a database, for example, but if that system isn't on the DR plan, the server still couldn't be accessed.
To increase the utility of DR plans, Bowman advises companies to compile a list of no more than 10 priorities that relate directly to profit and loss, elements that affect a company's brand, billing and critical employees. By focusing on those key elements, a DR plan is more likely to gain the traction necessary for periodic updates and testing. These elements include:
- Make sure the plan is distributed electronically and in paper form both on and off site. Keep is short, sweet and easy to understand.
- Establish beforehand who will do what in case of emergency and be sure each person has the skills necessary to perform the assigned tasks.
- Establish modes of communication that likely will survive a disaster. Phones? Radio? Servers? WAN? LAN? Satellite? RF? FSO?
- Execute risk mitigation of data: in-flight trades, record storage, evacuation, etc.
- Execute remote data recovery protocol.
- Communicate to customers/clients status of business and anticipated duration of consequences. Be brief and direct and honest.
- Focus on core business and brand by employing protection protocols. De-emphasize noncritical business components.
- Communicate with staff on status of event and expectations.
- Execute living, travel and food plan for event.
- Set reasonable goals to recover data, business assets on an hour-by-hour, day-by-day and week-by-week basis, and stick to it!
"And remember, if you use a third-party outsourcer for data services, make sure they have a plan and test it," Bowman says. "Ultimately, though, you're responsible for keeping your data safe in the event of a disaster."
About this author: Matt Bolch (firstname.lastname@example.org) is an Atlanta-based freelance writer who regularly contributes to more than a dozen consumer and trade magazines on a wide range of topics, including technology and general business.