Continuity Errors: Does Your Firm Have an Adequate Disaster Recovery Plan? David Taylor Explains Why It Needs to Encompass Not Only IT but a Lot More Besides
Taylor, David, Financial Management (UK)
Disaster recovery (DR) and business continuity (BC) are often seen as IT issues. Traditionally, if there was a major systems failure, the IT department had a DR procedure to restore them, and when people considered business disruption they usually thought of a hardware or software crash. Increasingly reliable hardware has since cut failure rates and made much of the back-up equipment redundant. It's now rare for a firm that has invested in the right hardware to suffer a breakdown that affects its operations. Software failures do still occur, especially when things change--during upgrades, for example so it's important to have testing, back-ups and implementation plans in place. But falling hardware costs make it more viable to have a separate test system, perhaps also acting as a standby.
The main risk of IT failure now comes from the internet, where the threat of hackers, spyware and viruses eclipses all other issues. There's a constant game of catch-up between those developing the mal ware and those who produce detection and cleansing programs. Even if the danger cannot be eliminated, appropriate security software and devices can minimise it.
Core IT problems are, therefore, becoming less likely to interrupt your operations, leaving the most likely culprits as utility services failures, fire and theft. Although the threat of terrorism generates a lot of media attention, an attack is statistically far less likely than an extended utility service failure. Consider the impact that even a one-day power cut would have on your business.
Most people now understand that the IT disaster recovery process cannot be isolated from the core business activities. There are many organisational issues to be considered in the IT recovery plan. If several systems fail, which ones should be restored first? How quickly does the business require the various systems to be available again? IT staff can adapt back-up methods accordingly, putting in place relatively cheap, slower recovery methods for non-critical systems and spending more on "hot standby" systems in high-priority areas.
You also need to consider whether your firm could continue operating if it were to lose the contents of its offices in a fire. Do you have insurance cover, customer contact details, headed paper, essential office supplies and other premises available at short notice? These issues aren't part of an IT recovery plan, but they are a key part of business continuity.
What should I do?
As a first step, every organisation needs proper insurance and physical monitoring. Your policy may cover fire and theft, but how about flooding? You might think that you don't need this cover if you're on the first floor--but the tenant on the second floor may have a toilet or kitchen directly above your server.
You can fit a variety of devices to help prevent disasters from striking in the first place. The most obvious of these is a burglar alarm. If you tell your insurers that you have an alarm, you must ensure that it's used correctly, since they may refuse to pay out if it emerges that someone forgot to set the system when rushing to the pub on Friday evening.
The next step is to have a written plan. The IT plan will go into technicalities and should be a separate section within the general BC plan. Both should use scenarios to generate discussions on preparing for a range of problems. IT may play a key role in the BC plan, but the IT department shouldn't "own" it. This should be allocated to a business manager who should be responsible for updating and testing it, as well as for communicating its requirements. An excellent BC plan is useless if no one knows where it is or what its contents are.
The BC plan should cover issues such as:
* What is expected of the IT recovery process--specifying systems and schedules.
* How to order--and pay for--replacement IT equipment, software, stationery, temporary staff etc at short notice. …