This post also appeared in The Tennessean, where Concept Technology has a bi-weekly feature in the Business section.
Business continuity and disaster recovery planning is hard work, so it’s not surprising that many organizations put off doing both.
To start, many people don’t understand the difference between the two terms. Business continuity defines the assets, threats and scenarios that can adversely impact your organization, and makes decisions about how to mitigate these risks — or to what degree these risks should be mitigated. In other words, business continuity planning prevents the disaster scenario from happening.
Disaster recovery is a subset of business continuity. It defines consistent, pre-planned actions that will occur in various disaster scenarios. Usually focused on recovering or continuing IT and technology systems, disaster recovery planning reacts to the disaster scenario after it has happened.
Most businesses don’t complete business continuity and disaster recovery plans because both are complex, time intensive and hard to complete. However, they are very important to the continued operation of a healthy business.
FEMA estimates 40 percent of businesses do not reopen after a disaster, and of those that do reopen, 25 percent fail within one year.
For the purpose of this column, let’s focus on the five steps of disaster recovery planning.
1. Define key assets, threats and scenarios.
You need to know what you’re protecting and its value to define how it should be protected. These assets could include your accounting system, files on your Local Area Network, email system and archives, etc. Next, you should evaluate the potential threats to all of your business locations, both natural (fire, flood, earthquake) and human (terrorism, theft, vandalism, HVAC failures).
With your assets and threats identified, define scenarios of potential disasters (for example, a site outage where the facility is still intact). When mapping out scenarios, take a moment to determine the recovery window — how long you can go without access — of each of your assets. Some of your systems may have one hour thresholds, or even lower, while others may be fine if they are operational the next day.
2. Define recovery solutions.
Solutions can range from recovering from tape backup or disk backup, to data replication to an offsite location. Determining the appropriate type and level of protection ties directly to the business value of the asset, and how long you can work without it.
3. Draft a disaster recovery plan.
Write everything down in a plan with key processes and communications. Your plan should answer questions such as: Who is responsible for declaring a disaster, and what is the communication chain?
4. Determine a place to go.
During a disaster, your employees need a place to go to continue working if an office location is compromised. Some employees and operations may need a pre-defined place with external communications links, hardware, software and data available, while some employees may be able to work by connecting via virtual private network (VPN) from home computers, laptops or remote sites.
5. Refine, test and re-test.
Your first test should be performed with a complete failover and failback of your systems. Follow the plan carefully — ideally, personnel who did not write the documents do the execution, so assumed steps aren’t taken. This presents an opportunity to further refine the plan and identify additional missing steps and weaknesses. It also allows for weaknesses in employee training to be identified and remedied. Since situations change, re-evaluate and re-test your disaster recovery plan annually.