A recent Gartner Inc. survey published in the Disaster Recovery Journal shows that approximately 51% of respondents made changes to the disaster recovery environment on a predetermined maintenance cycle while only 35% relied on the production change management process.
The absence of change control is, by far, a disaster recovery plan's or disaster recovery environment's worst enemy. In fact, nonexistent or insufficient change management can be the cause of disaster. There are many documented cases of major outages resulting from poorly planned, yet routine software upgrades. Small and midsized businesses (SMB) can be particularly challenged when it comes to change control due to a lack of resources and funding. This often results in more cycles being spent resolving issues rather than preventing them.
Following is a summary list of change control related items that any size business with IT dependencies should consider with respect to disaster recovery:
Organizations with a hot-site subscription with a vendor must be reminded that, although a disaster recovery environment does not physically exist until needed, it is their responsibility to keep the vendor informed of any configuration changes to the production environment that might affect the disaster recovery environment. This should not be done only at contract renewal time but before changes are actually made to ensure that any arising technological or contractual issues are addressed during the planning process.
Just as we test our disaster recovery plans and procedures on a regular basis (technically), it is also advisable to test your change management process. The mere existence of change control does not automatically guarantee efficiency of the process. This can be as simple as conducting a post-change review to make sure every aspect and possible impact of a change were considered prior to its implementation.
IT organizations wanting to help their change management process reach maturity may elect to follow IT industry best practices and guidelines, such as those outlined in the ITIL framework (IT Infrastructure Library).
Whether world class or entry level, change control must not only protect your organization from the impact of poorly planned IT changes; it must help keep both the production and disaster recovery IT environments fully synchronized and ensure all associated documentation and procedures are in good maintenance.
About the author: Pierre Dorion is a certified business continuity professional for Mainland Information Systems Inc.