Business Continuity and Disaster Recovery – the term that describes the process and steps for an organization to return to normal operations as they were before a disaster or crisis, were words, which a few years ago were not very common or rarely had such a big importance as they have now. With more and more technology that we rely on, digital documents saved on various media, communication relying mostly on phones, e-mail and instant messaging, our businesses cannot exist without it. Although in the past decade disaster recovery has become a more and more important issue, especially after companies faced loss of data due to technology failure, hackers or viruses, it has only become a very realistic and daily issue after September 11, 2001. Since then disaster recovery has become one of the hottest topics for businesses and governments throughout the world. Not only that, but also has the definition of disaster shifted from “small disasters” such as natural weather storms, tornados, hurricanes, fires, earthquakes, explosions and contamination, environmental, epidemics, loss of utilities and fuel, mergers, as well as legal problems (Levine, 2002) but this list has expanded to include disgruntled employees, thieves, manmade “disasters” such as strikes, mobs, war, bombings, etc. and now… terrorism (Ridgway, 2003).
Since September 11, business and government have now realized that business continuity planning (BPC) and disaster recovery planning are vital activities. However, the creation and maintenance of a sound business continuity and disaster recovery plan, is a complex undertaking, involving a series of steps. Unfortunately a lot of companies or agencies have no yet developed their business continuity and disaster recovery plans, mainly due to the fact that it is a long and continuous process which is never completed, requires training, testing and auditing and therefore takes up a lot of resources. According to a study conducted by Forrester Research on disaster recovery capabilities a majority of the 504 enterprises polled are not protecting many of their remote sites from a local disaster because they are not replicating or backing-up data to a central facility. Only 16% of US and 15% of European respondents report that 80% or more of their remote sites are protected with centralized data replication or remote backup technologies. This again means that enterprises are either relying on local backups and offsite tape vaulting for disaster recovery, or there is no disaster recovery solution in place at all and therefore they are vulnerable to disasters. But the research also shows that enterprises are concerned with risk and disaster recovery. More than 75% of respondents consider it critical to improve data recovery times and limit data loss at a backup data center and remote sites. In addition to that, on average 21 percent of respondents’ IT budgets is earmarked for business continuity and disaster recovery efforts (Bednarz, 2007).
Critics of disaster recovery plans have noted that although many companies do have technical disaster recovery plans in place which include daily tape or remote backups, a second administrator, batteries as well as even complex solution such as automated fail over in case of IT failure, but what about support infrastructure and services? What does it take to have the business fully functional, employees back in doing the work and providing the customer support and service they are selling? Many companies fail to analyze these risks and implement viable recovery solutions into their business contingency plan. “Disaster recovery plans that take into account only the physical impact to the infrastructure are shortsighted and need to be remedied,” said David Jordan, chief information security officer for Arlington County, Va. (Vijayan, 2005).
Disaster recovery plans usually prompt many IT operations to focus on traditional business continuity processes which involve disruptions caused by physical damage to the infrastructure only. Until recently, organization’s computer systems were centrally located in a data center, and keeping the technology online was the responsibility of Computer Operations. As such, disaster recovery and contingency planning were also the responsibility of Computer Operations, whose focus was to ensure that business applications were available as required. And traditionally firms were required to work with only one single vendor, who provided physical facilities and equipment in case of an emergency, but today’s computing environment is far different, more distributed, and as such, much more complex to manage. Business information is dispersed, as local area networks and departmental systems have replaced the monolithic mainframe. In addition to that, the emphasis on the computer and resident information has given way to an emphasis on ensuring continuity of the processes that keep the business running. Risk management and business continuity planning, therefore, must become critical components of business operations and it is no longer just a technical issue that can be maintained by Computer Operations only. It is a task that is to be managed and enforced by the executive level (Krause & Tipton, 1993).
Although it is important for customers to eliminate downtime on mission critical servers, organizations are not only generating revenue while the system is down, but also when their non-technical business processes fail. “People are reticent to outsource because of security reasons or because they think they can do it themselves,” says Mike Rosenfelt, executive VP of MessageOne, “The irony is that if a threat can take down and incapacitate your entire infrastructure and not leave anyone to run disaster recovery, you may not be there to manage anything.” (Bleasdale, 2003). Proper and sound disaster recovery and business contingency plans include a lot more than the type of backup and recovery that involves tapes and hot sites. Corporations are realizing that disaster recovery is only a part of what should be a company wide business continuity plan but until recently the general focus on disaster recovery was focused on IT at the expense of the rest of the business.
The first step to create a sound and proper business contingency and disaster recovery plan, is the process of identifying, analyzing and assessing, mitigating, or transferring risk. It defines an organization’s critical business functions, identifies and prioritizes risks (such as natural disasters or terrorist attacks) to those functions, and establishes policies to avoid or mitigate those risks. This process includes a few questions that are the core of the Risk Management process. These questions include, but are not limited to:
- What could happen (threat event)?
- If it happened, how bad could it be (threat impact)?
- How often could it happen (threat frequency, annualized)?
- How certain are the answers to the first three questions (recognition of uncertainty)? (Krause & Tipton, 1993).
Once risks have been analyzed and assessed, each corporation will most likely face the fact that there will be some unacceptable risks as a result and that will require to start the process to initiate business continuity planning. And this includes to devise a disaster-recovery plan for critical systems and data, including the establishment of primary and alternate recovery teams; setting up notification procedures such as call trees; determining primary and alternate meeting or work sites; tracking inventories of software and hardware; having readily accessible contact information for vendors; and clearly defining back-up and recovery techniques. Disaster-recovery plans should also evaluate the need for, or the configuration of, replication, redundancy clusters, software change management, remote access, access to back-up tapes or servers, and hot or cold sites. But also the disaster recovery and business contingency plan should have disaster recovery planning & policies in place, Service Level Agreements from vendors, contingency audit and plan assurance, identification and location of critical records, set response times, periodic maintenance or equipment and material as well as solid disaster prevention policies.
But even once a complete disaster recovery plan including all scenarios, possibilities and remedies has been designed it is a mandatory requirement to test it and have the staff trained to react to the scenarios and use the recovery plan to maximize recovery efforts. In addition to that each recovery plan has to include set up intervals of training and testing for the disaster-recovery team and the business continuity plan as a way to make revisions and stay confident the plan is battle tested. Chris Leach, national director for Grant Thornton, a global accounting firm, agrees that it is all about testing. “It’s sobering when you run your first test and see what you missed. I have never seen a test that did not involve surprises,” he says (Fontana & Connor, 2002). Surveys show that among the companies and organizations with BC plans most have never taken the steps to actually test and evaluate the vital plans, and therefore, are not in a position to determine how effective it is.
The goal of a sound BP is to safeguard the company, it’s reputation, brand and value-creating activities, critical data as well as it’s key stakeholders. It also identifies potential risks that threaten a company or organization and provides a framework for building resilience to the risks. It is not just for large corporations and organizations. Small businesses actually have fewer resources to fall back on in a disaster, and are even more vulnerable without a critical business continuity and disaster recovery plan in place.
The business climate today requires that everyone (from the board of directors to the companies customer service department) to understand the nature and scope of proper business continuity and disaster recovery plans. The directors and top management needs to be in a position to effectively evaluate the business continuity plan and data for disaster preparedness. When required, they should enhance the business continuity management and infrastructure within their organization and the focus should not be only on technology and infrastructure but also, if not even more important, the entire business processes that come with daily business operations. It is not just about “if you pull out your IT department, can you run it somewhere else?”, but it is also about scenarios such as “if your site is evacuated due to chemical alarm or fire, can you manage your business from a remote site if you can’t get to your servers and provide your customers with the same service you do now?” If in both cases, the answer is affirmative and it has been recently tested and all staff is trained to know what to do, the corporation has a sound business contingency and disaster recovery plan in place.
However, recent surveys show that most companies will not be able to answer this question with a “Yes”, leaving not just their business at risk, but also the consumers, relying on the services provided to them as well as our regional if not even national economy. And that is not a scenario which companies can ignore because of lack of funds, time, knowledge or resources.