A Framework for Disaster Recovery Planning: Methodology in Three Industry Environments

Beginning of article

INTRODUCTION

Disaster Recovery Planning is the act of drafting alternative business processes when regular or normal processes cannot be performed. When vital business operations, such as communications infrastructures, are affected and mission critical systems are compromised, disasters are amplified. These alternative plans must be flexible enough to be partially or fully implemented depending on the nature of the disaster. Isolated business or service disruptions, as well as large scale community wide disasters, have shown that a well designed and tested enterprise wide continuity plan must be in place. Ensuring that an organization's assets, operations, commitments and relationships are protected is a critical element of staying in business. Unfortunately, a disaster is usually the test of the thoroughness of these alternative plans (Moore, 1997, 13).

The planning and response to catastrophes varies according to cultural norms. For example, Islamic countries devise and write disaster plans. However, the effectiveness and efficiency with which the plans are implemented into operations are likely to be affected by a pervasive fatalism and the acceptance that the "Will of Allah" will prevail, regardless of what is planned. Similarly, the Japanese attitude towards disaster planning is based on ancient traditions, rigid social and business cultures, and a vast maze of bureaucracy. In many developing countries, economic growth has exceeded urban planning and physical development. Therefore, disaster recovery planning may not work given the state of the transportation systems and emergency services in these countries (Gates, 1998, 61). Businesses are always exposed to disasters. These disasters have no respect for cultural, economic, social, political or environmental factors. In a global and ruthlessly competitive environment, those unable to respond rapidly in the aftermath of a disaster will soon lose customers regardless of culture or geographic location. However, this study focuses on disaster recovery within the U.S.

DIMENSIONS OF DISASTER RECOVERY PLANNING

The major dimensions of disaster recovery planning (DRP) are the relationship of cash flow to IT operations and the impact of potential threats on IT operations. The time to recovery and recovery strategy are dependant on these dimensions. The closer the linkage of cash flow to IT operations, the higher the risk and thus, the higher the investment required to minimize this risk. The closer the linkage, the shorter the time span for recovery. After identifying potential threats, organizations must assess the impact of these threats on the organization. If an organization's cash flow is tightly linked to IT operations or the linkage relationship is "Hi," and the potential threats also have a high impact on IT operations, the organization must adapt the recovery alternatives strategy for very high risk organizations. The level of risk determines recovery strategies.

[FIGURE 1 OMITTED]

The first major dimension of DRP is the relationship of cash flow to IT operations. Organizations are faced with many decisions that have enormous implications when planning for disaster recovery. With the move to ubiquitous information technology, recovery has become even more important in sustaining critical business operations. "A study done at the University of Texas at Arlington found that 85% of businesses are totally or heavily dependent on information systems to stay in business and that losing these systems can cost up to 40% percent of daily revenue. For some organizations, an outage of one hour or less that interrupts the flow of crucial information can cost over $100,000 in lost revenue. An AT&T study showed that nearly 60 percent of financial companies, nearly 50% of service companies, and over 40% of retailers would be seriously affected in less than eight hours without their major information systems" (Overman, Cook, Sandberg, 1995, 18). To prepare for potential disasters in information technology, large corporations spend up to six percent of their information technology budget on consulting, application software or outsourcing related to disaster recovery planning (Girard, Dillon, Ung, 1998, 14).

The second major dimension of DRP is the impact of potential threats. Legal threats due to lack of a DRP are becoming increasingly important. A company may face legal consequences as a result of not having a comprehensive disaster recovery plan. Since federal and state laws are finding it difficult to keep up with the ever changing technology, industry regulatory agencies are establishing rules regarding disaster recovery (SunGard, 1995, 1). The banking industry was the first to experience direct regulatory requirements for recovery planning. The Office of the Currency (OCC) issued Banking Circular 177 in 1983. This document alerted banks to the importance of recovery planning. Banks and organizations servicing banks must annually certify the existence of written recovery plans. The OCC and Federal Deposit Insurance Corporation have cited financial institutions for noncompliance of these regulations. Failure to comply can result in forfeiture of a bank's charter (SunGard, 1995, 3). In 1986, the Internal Revenue Service adopted regulations to protect tax information …