This case analysis examines the process of developing and implementing a disaster recovery plan. The case (1) discusses some of the inherent problems that large organizations face in developing an effective disaster recovery plan, and (2) highlights the challenges of implementing a disaster recovery plan in the face of real world events that vary from the plan's initial assumptions. This material is appropriate for undergraduate and graduate courses in risk management, information systems, and business continuity planning. The case is designed to supplement a general discussion of disaster recovery planning, and disaster risk management.
Developing a disaster recovery plan is a challenging process for most organizations, requiring plan developers to strike an appropriate balance between breadth and detail. In 2001, the Chief Financial Office organization began a disaster recovery process that was completed in the early part of September 2001. This case reviews the process used by Merrill Lynch's CFO organization to develop a disaster recovery plan, and the challenges faced in implementing this plan following the events of September 11, 2001.
A broad scope of disasters can incapacitate a company's operations. The "disaster spectrum" can range from natural catastrophes, such as a tornado or hurricane, to "man-made" tragedies such as terrorist attacks. Developing a plan that can handle the gamut of possible events is particularly challenging, because plan developers must weigh the benefits of broad applicability against the need for sufficient detail to be useful in the event of a disaster.
Given that it would be infeasible to formulate specific responses for the entire disaster spectrum, plan developers often struggle to devise a plan that strikes the appropriate balance between sufficient plan detail and broad based applicability.
If the plan is too focused, the company may find itself with a well formulated plan that does not apply to the disaster at hand. Conversely, if the plan is too broadly developed its usefulness may be limited in the event of an actual disaster. It is therefore imperative that companies frame their business continuity planning parameters to ensure some flexibility, while at the same time providing a detailed enough framework to be effective across the broad spectrum of possible disasters.
One of the most critical aspects in developing a comprehensive disaster plan involves choosing the parameters and assumptions to use during plan development. These elements define the ultimate structure of the plan and, therefore, its elasticity and effectiveness. A number of situational factors will often influence this choice. A company's location in southern California, for example, may make it particularly susceptible to earthquakes; a business site close to the North Carolina coast, on the other hand, may make hurricanes more pertinent. Aside from explicit spectrum considerations, however, corporate culture or employee biases and attitudes may also drive the parameters and implicitly affect the assumptions. It is important for developers to consciously recognize these influences so that they can evaluate what areas on the disaster spectrum are vulnerable.
STRUCTURING DISASTER RECOVERY PLANS
A common error that many companies make in developing a disaster recovery plan is that they focus on developing detailed protocols at the expense of plan flexibility. These "structured plans" outline in detail the actions that business units and individuals must take in the event of a disaster. They often include implicit or explicit assumptions about the nature of the disaster event, which directly influence the design of disaster protocols and recovery procedures. However, the usefulness of the plan could be severely diminished if the observed conditions vary significantly from the plan assumptions.
While the functionality of "structured plans" can be limited by their lack of flexibility, plans that are developed with insufficient depth can be equally problematic. …