Mark Mutch

Monday, 25 April 2005 09:23

Disaster recovery planning

"Ammonia spill causes evacuation"

"Fourth hurricane hits home"

"Train derailment forces businesses to close"

"CEO fired after $24 million Comair DRP shortfall"

Disaster recovery planning is critical. Any one of a number of disastrous events -- human error, internal or external sabotage, flood, fire, earthquake, hurricane, tornado or terrorist activity -- could shut down a data center, server or network in the blink of an eye.

Sales and production could stop. Customers might go elsewhere and never return. And the longer it takes to get back online, the greater the chances that a business may never recover.

There are also the headlines you'll never see:

"Ralph is in the hospital -- and the server just crashed"

"Bob just finished the system restore, but it was the wrong tape"

"Tom got in a car accident ... Do you know the admin password?"

"Judy deleted the Com file by accident; how did she get access to it?"

These disasters can and do happen. And because disaster recovery plans are highly confidential, both failures and successful recoveries receive little publicity.

What is disaster recovery?
Disaster recovery (DR) is the process of returning a business function to a state of normal operation, either at an interim, minimal survival level or by re-establishing full-scale operation. This process is enabled by a disaster recovery plan (DRP).

From an information technology point of view, unlike simple data backup, true disaster recovery depends on more than just replicating data. Essential system elements must also be present and accurate to ensure that applications are fully available to the people who need them.

Disaster recovery includes complex detail such as network topology and device configurations to simple information such as a documented list of admin passwords and contact information for key personnel.

Why the concern?
When a disaster occurs, there is severe disruption to normal operations; backlog of work; potential staff morale problems; cramped, inadequate accommodations; potentially disastrous effects on customer satisfaction, credibility and goodwill; and well as cash-flow problems and financial losses. There may even be litigation.

And more than 80 percent of companies that suffer a disaster and do not have a recovery plan can expect to go out of business within 18 months as a consequence.

Solutions
The answer is a risk and business impact analysis, which identifies threats and their potential risk, estimates the effects of a disaster on the organization and helps define the focus for DRP and recovery strategies.

The probability of a disaster occurring is uncertain. A disaster recovery plan, however, is similar to liability insurance; if a major catastrophe occurs, it will not result in financial disaster.

Insurance alone is not adequate because it may not compensate for the incalculable loss of business during the interruption or the business that never returns.

After the plan
Once your plan is complete, consider the following actions:

  • Business optimization. The planning process creates a unique, objective view of a company's business functions and system interdependencies. Often, the best risk mitigation is the upgrade, optimization or elimination of a nonessential business or systems function.

  • Periodic testing. Part of the DRP process is to establish requirements for ongoing testing of the plan. In addition to increasing a company's confidence in the plan, it ensures that individuals are up to speed to execute the plan if required.

  • Review and revise. A disaster recovery plan's effectiveness fades with time. A re-evaluation often is required annually to incorporate changes to personnel, departments, equipment and procedures.

If the owner or CEO doesn't have a current DRP in his or her home fire safe, there's a gap.

Mark Mutch is the practice leader of IT risk management for Xperianz, a professional services firm specializing in real-world business solutions to reduce cost, mitigate risk and leverage technology. Xperianz is one of the fastest-growing firms in North America, with offices throughout the Midwest and Southeast. Reach Mutch at (216) 570-8659.