Centurion Disaster Recovery Logo
Centurion Disaster Recovery
Who Are We
What We Do
Contact Us
Home  »  What We Do  »  White Papers  »  Contingency Planning 102  

White Papers

Business Contingency Planning 102

Foundations for Successful BCP in Your IT Department
Stephen Castella
January, 2001

Every company, and each of its locations, is susceptible to disaster. Disk crashes, power outages, and communication losses are all minor disasters that happen on an occasional basis, and most of us have a backup plan ready to put into effect. But what about major disasters such as the Oklahoma City and World Trade Center bombings? Is your company ready to respond?

Most companies are dependent on their computers to remain in business. Rather than just looking at getting the network up, you should also be concentrating on how to continue your business. That's why you need a comprehensive, effective, business continuity plan.

A disaster recovery plan is now called a "business continuity plan" because the most important goal is to enable your company to remain in business. To determine your risk of a major disaster, ask yourself the following questions:

  • What would you do if your employees couldn't get to work?
  • What would happen if your customers couldn't reach you for a few hours, days or even weeks?
  • How would you deal with the loss of critical business data?
  • Does your state frequently experience flash flooding, hurricanes, or tornadoes?

Scenarios like these could have a catastrophic effect on your productivity, upset your market share, and destroy all you have worked for if they remain unplanned for. Industry statistics indicate that 43 percent of companies never reopen after a disaster has struck.

The key phrase in business continuity is "reduce risk"‹meaning to prepare for any event that could jeopardize your business' ability to operate. If disaster strikes, companies have everything to lose‹critical data, profits, and information, all of which are critical assets in any company. A solid business continuity plan will ensure that your business can carry on as usual.

As we embark on 2001, we have found out that what we once thought of as a tool to get a job done has now become our most important asset‹information. Our reliance on technology to deliver the information we use in our strategic business plans requires our due diligence to protect it. Therefore, an event that disrupts the flow of information disrupts the flow of business. Wherever we see a PC, keyboard, printer, or server, we are indeed looking at our corporate assets, regardless of the technology platform, and wherever mission-critical applications have been defined.

The following information will provide a good foundation for creating a good business continuity program. This information could be used as a foundation, but like a foundation, it must be built upon and maintained in order to be truly effective. The first goal of the business continuity manager should be to obtain senior management's commitment to the program. This will pave the way to a smooth planning and testing process.

The Blueprint for an Effective Plan

  1. Identify business representatives.
    Business unit plans should identify a business representative authorized to determine recovery requirements. This person should also have the power to approve funding.

  2. Establish client participation and user acceptance.
    The recovery team will consist of individuals who are currently assigned to the day-to-day support of the product or the application being recovered. This team will also need the support from the infrastructure engineering teams, as well as the application development organization. Client participation in plan development and user acceptance testing is required in order to obtain successful results.

  3. Locate vulnerabilities in the technology infrastructure.
    In the past, the words "risk analysis" have meant the process of identifying and minimizing the exposures to certain threats that an organization may experience. Traditionally, this process would not include vulnerabilities in the technology infrastructure. With today's businesses relying on technology, a good risk analysis fundamental to a successful business continuity program.

  4. Perform a business impact analysis.
    A business impact analysis (BIA) outlines the consequences of an interruption to the business and other interdependent applications and serves as a benchmark for funding decisions and strategy development. Some of the criteria used are public image, customer confidence, market share, and regulatory and financial penalties. The critical functions, their recovery priorities, and their interdependencies must be established so that the recovery time objective (RTO) can be set.

  5. Identify technology requirements.
    The technology requirements for a successful recovery must include hardware and software equivalents to production. Careful calculations during this phase will ensure that the contingency environment mirrors the production environment.

  6. Develop a recovery strategy.
    The business needs will dictate the recovery strategies and recovery time objectives. RTO is defined by the business as the amount of down time their application can endure. The recovery time requirements of interdependent applications must be taken into consideration. Two key components to any contingency program should include a strategy to back up and restore vital records.

  7. Create vital records and provide offsite storage.
    A critical component in plan development is the selection of backup and restoration software capable of storing and successfully retrieving data. Without this, there is no business continuity program. Backup scheduling must include an off-site storage location.

    Once the data is carefully backed up, it must be accessible in the event that the facility is not accessible. There are bonded commercial storage vendors that provide security and offsite data storage. Data is usually retrieved for daily restores as well as disaster recovery testing.

  8. Build the plan.
    A critical step in plan development is actually building the plan. Full cooperation from all of the teams is necessary to create a viable recovery plan. This is where the majority of the work will be performed. Any group or individual providing a product or service on a day-to-day basis should also be responsible for supporting the service during a contingency event.

  9. Perform a functionality test.
    Once requirements have been defined, a strategy has been developed, and the plan has been built, it is time to test the functionality of the plan. This effort will involve most of the teams that have business continuity plans and is designed to demonstrate whether or not the predefined business objectives could be met within the RTO. Each team representative will then verify its portion of the plan. The next and most critical step of all is user acceptance testing.

  10. Conduct user acceptance testing.
    Each user should create a test script designed to validate the accuracy and performance of its application in a contingency environment. The test scripts should not be a bare bones representation of the production environment. The script should give a clear indication of whether or not they can do business as usual as stated in their recovery requirements.

  11. Obtain user evaluation sign-off.
    Users should be asked to provide their views on the testing process, as well as on the results of the test. The users should also provide comments regarding lessons learned and improvements and modifications that they would like to see as a result of the test. A user sign-off sheet should be provided for this purpose and must be signed off by a manager of the business. The business contingency manager should compose a post-test report stating if the objectives of the test were achieved. All plans must be tested on a regular basis in order to be contingency compliant.

Summary
Keeping the business running is everyone's responsibility. New hires to a company should be informed that contingency planning is not something that they will do as a favor, but something that is part of their job requirements.

Have you ever wondered why you never hear about the business that did not have a contingency plan?

First Things First
The following are some smaller steps that companies can take immediately to minimize risk:

  • Get a backup generator
  • Store computer systems in a safe, restricted area
  • Run virus checks on PC's and firewall connections
  • Route cables to avoid single points of failure
  • Change locks and passwords when employees leave the company
  • Negotiate maintenance contracts that guarantee quick response and replacement
  • Use surge suppressors and uninterruptible power supplies (UPSs)

About the Author
Stephen Castella is project leader at Morgan Stanley Dean Witter. He has been in the contingency planning field for five years and is a member of the Contingency Planning Exchange

Article reprinted with permission from Contingency Planning & Management magazine. Original Publication: January 2001



Contact Us  Top of Page
 Printer Friendly Version
 Email a Colleague




All Original Content Copyright 2002 Centurion Disaster Recovery. All Rights Reserved. Centurion Disaster Recovery is a division of Jack Henry & Associates, Inc., Where Tradition Meets Technology.