Disaster recovery is often viewed as the need for backup systems to safeguard an organization's data. Here's a little hint for the survival of your company: It's not just about the data.
The IT and data elements of disaster preparedness are critical components to overall preparedness. In today's technological and global environment, organizations rely heavily on access to their data, 24/7, and any interruption of that access can be catastrophic to the organization. And increasingly, this data not only is for internal use, but also for use by business partners, vendors and customers. The availability of this information literally may mean the difference between a business's survival and demise; it can reduce the impact of the disaster and shorten the recovery time.
In the information-hungry world we live in, reducing vulnerabilities of data access can impact an organization's ability to respond and the community's ability to recover. Yet according to a 2004 survey by AT&T Corp. and the International Association of Emergency Managers, nearly one-third of U.S. companies do not have a business continuity plan (BCP) in place. Large-scale disasters expose the quantity of organizations that are unprepared, while demonstrating just how damaging that lack of preparation can be.
The tragedies of Sept. 11, 2001, Hurricane Katrina, the recent earthquakes in Haiti and Japan, and other major disasters have placed business continuity planning and disaster recovery in the spotlight. But it is important to note that localized disasters such as fire, and even brief disruptions such as fiber cuts, can be equally damaging. A simple Internet virus or worm spread over a single laptop can bring your operations to a grinding halt.
Industry standards and regulations, such as HIPPA and Sarbanes-Oxley, also act as drivers for implementing solutions. These regulations are designed to protect organizations by enforcing the implementation of BCP plans.
During a catastrophic event, many organizations are forced to put their BCP and IT disaster recovery infrastructure into action. Many more organizations, however, find that the lack of a plan or failover capabilities makes an already difficult task insurmountable. In a hopeless situation, the presence of a detailed BCP plan can create hope.
While this type of safeguard is absolutely a necessity to protect valuable data and reduce the amount of time your organization will need to recover from an incident, this is only part of the solution. A true disaster plan goes far beyond backup servers and drives.
Start With the Planning Process
Again, it's not just about the data. When disaster strikes, what plan does your organization have in place to communicate, both internally and externally? How will your organization ensure it can get your personnel to your hot site? An IT disaster recovery plan is only a small part of an overall business continuity plan. The most important aspects of an effective disaster recovery is planning and training, which both need to be done far ahead of the event. The planning process is more important than the plan itself.
General Dwight Eisenhower said, "Plans are useless; planning is everything." Planning across the board has fallen on the shoulders of one or two people within an organization. After months of writing the company's disaster plan, they distribute the document to all departments, where it sits on bookshelves collecting dust. The next time the plan is looked at is when the disaster strikes. In this scenario, the plan is destined to fail. But firms can avoid this fate.
Step 1: Involve Everyone.
Disaster planning must involve all stakeholders in the process. Just as data recovery takes into consideration different priorities and timeframes for bringing systems back online, different priorities and timelines exist for bringing services back to a pre-disaster level. Additionally, it is critically important for government, private industry and community organizations to plan together, as there is a reliance on each other for components of response and recovery.
During a widespread disaster such as a hurricane, all stakeholders will be in harsh competition for the same limited supplies and resources, including food, water, computers and clean-up services. The impact of the disaster, such as in New Orleans and Haiti, may be so widespread that local relocation may not be an option. Transportation (and fuel) options may be limited or nonexistent for days or weeks depending on the disaster. All organizations must work together to survive the event.
Step 2: Plan for the Worst-Case Scenario.
While you can't plan for every contingency when developing your plan, consider not only your organization's vulnerabilities, which can include location, security threats, etc., but also your company's capabilities. Once you have determined the most likely disasters to affect your organization and the impacts on your organization, the plan must be grounded in reality. When you write your plan, consider the capabilities and resources that exist today -- not what you are planning toward or will eventually purchase.
That's not to say that you shouldn't build remediation steps into the plan. Determine what resources will be needed to respond and recover based on the threat and vulnerability analysis. If they don't exist, the list will serve as a road map for strategic and budgetary planning, or at least indicate to senior leadership and shareholders what will be required at the time of the disaster. Set expectations in advance of the disaster.
Step 3: Train and Exercise the Plan.
Even if the plan is developed with the input of all stakeholders, the planning process is still not complete. The plan is only good if every employee (from the receptionist to the CEO) is aware of the plan and how to use it. One of the most critical steps in the planning process is to test the plan. Short of an actual disaster, the easiest and most efficient way to test a plan is through a training exercise.
An exercise serves as the "final exam" at the end of a planning cycle, fosters communication between business units, trains users on the employment of a plan and their role in a disaster, and provides a "no-fault" environment to identify gaps. The time to find out if the plan will work is not when people are standing in a pile of rubble. Having the plan fail during the exercise is actually a good thing, as long as changes are immediately made, updates are communicated, employees are made aware, and the plan remains a dynamic work in progress.
Step 4: Putting It All Together (Don't Forget the People).
The plan is developed, personnel are trained and the plan has been tested. Then a disaster strikes and the plan still fails. Some plans have ignored or forgotten the most important aspect of the disaster planning process: All disasters affect people. Disasters leave victims in their wakes, and some of these victims may be the very personnel organizations were counting on for response and recovery. If the plan hasn't considered employees' personal and family needs during and after a disaster, they will not be there for the organization when disaster strikes.
If there is advanced notice of the disaster, such as a hurricane or blizzard, allow time for your employees to address protection of their families and property. Once all is safe on the home front, they are more likely to be available for their employers. After Hurricane Andrew struck south Florida, firefighters and police in Homestead walked off the job or never showed up for work because their homes were damaged; their lives were in chaos. Once city officials brought in crews to assist in the cleanup and temporary repair of their homes, they felt secure enough to return to duty.
Also take into consideration the hardship on a family if you relocate your business operation out of the area. Your plan will only work if every member of your response team is familiar with it and if post-disaster expectations and roles are clearly defined.
Disaster planning is really about the process and less about the technology for disaster recovery. The plan should serve as the framework and general direction to follow, but it cannot take into account every scenario or contingency. There is no way to train for all disasters.
However, having a strong core plan with policies and standard operating procedures (SOPs) to guide management and employees during a disaster will ensure your organization's survival. The disaster plan does not tell you how to do your job, but rather how to do your job in a compressed timeframe, under stress, and possibly without all of your organization's resources in place.
About the Author: Adam Montella is the VP for homeland security and emergency management for Animus Solutions, a management consulting and technology services company. He has more than 25 years of direct homeland security and emergency management experience in government and private industry. Montella most recently was appointed to the Federal Emergency Management Agency's (FEMA) National Advisory Council's (NAC) Public Engagement & Mission Support Subcommittee and the National Response Framework Working Group.