For the dedicated technologist, disaster recovery (DR) planning can be fun. It involves new technologies, new approaches,
vendor presentations, free lunches, new skill sets and the opportunity to demonstrate just how much the business units really need IT. However, the temptation to plunge into this pool of excitement without planning is often overwhelming. Resist the temptation. A little creative work up front to properly set the scene will have a big payback down the road.
The first step is to ensure that you, your team, the business units and your CFO all understand, agree and buy into the disaster scenarios your plan will mitigate. So, it is critical to develop a corporate disaster recovery policy statement that sets the goals and objectives for DR at a level that crosses all organizational boundaries. This is the key to gaining a strategic understanding of your objectives and determining the budget you will require for the project. The business units must commit to the constraints that the scenarios and assumptions may have on their operational readiness in a post-disaster situation.
Knowing what is driving your DR plan helps you to be grounded in reality and takes a pragmatic approach that fulfills the desires of the sponsoring business units. Without this grounding, you could embark on a quest to provide far more than the sponsors ever imagined (with consequent shock and awe as you present your first budget request).
Alternatively, you might embark on a minimum effort in an earnest, but misguided attempt to constrain cost and optimize time to deliver. Yet you may find that the very basic approach you have undertaken does not meet the needs of the sponsors for a demonstrable recovery to full production.
What should be in a corporate disaster recovery policy?
While the actual policy wording will be highly situational and reflective of your own particular business, there are several important components you should include in a corporate disaster recovery policy. The following draft policy illustrates an example of many of the components you could consider:
The XYZ Corporation is committed to fulfilling its obligations to the customers, the shareholders and employees by ensuring that a disaster recovery capability is in place and tested sufficiently to ensure that the corporation's ability to service its customers and secure its revenues can continue in the event of a disaster.
The cost of preparing and testing disaster recovery will be considered a cost of doing business. Business units will be responsible for formally identifying the impact on the organization should their business unit be unable to operate. The business unit will budget for the appropriate investment to mitigate this risk.
IT will provide four levels of disaster recovery services designed to meet the business needs. Each level of service will define the time to recover access to the application, and the allowable data loss that can be tolerated after a disaster. IT shall be responsible for testing infrastructure recovery on an annual basis. Each business unit shall be responsible for testing resumption of business on an annual basis.
A Business Continuance Director shall be responsible for assisting each business unit to develop and maintain business continuity capabilities and for the coordination of recovery tests between the business units and IT on an annual basis or more frequently.
In this phase of the organization's implementation of provable disaster recovery capability, we will consider the survival of our staff as a primary assumption.
Take the time now to facilitate the development of your corporate disaster recovery policy statement on the DR plan's objectives, drivers, assumptions and responsibilities. Set up preliminary discussions, seek ideas from each executive and offer draft statements. This will demonstrate your ability to seek executive guidance while capturing key drivers, needs and assumptions for the policy development.
You should also have discussion sessions one level down with key managers to gain additional participation in the drafting of this policy. Offer as a basis for the discussions potential "bullet points" or "draft phrases" for each component of the policy. Typically, at some point in the creative process, the executive team will adopt the policy development, take ownership, refine and publish the policy.
Now you have the "legal" foundation for your project, a clear and compelling statement of objectives and the drivers behind the objectives for a significant corporate investment. However, your job isn't done.
You need to make sure that everyone knows about the plan. Executives may fail to communicate this policy effectively unless prompted. You will need to follow up and help the various parties understand the implications of this policy, the drivers behind it and how this will impact each of them and their role in either infrastructure support or application usage as the DR plan is developed.
About the author: Dick Benton is a principal consultant at GlassHouse Technologies, Framingham, MA.