Your Plan Is Only As Strong As The Weakest Link

Tom Williams - CENTURION Disaster Recovery

The good news is that many organizations now realize the value of having a sound Business Continuity Plan. They either have one in place or they are in the process of developing one. Organizations are making the transition from traditional Disaster Recovery Planning (DRP), which primarily focuses on restoring the technology of the company, to enterprise wide Business Continuity Planning (BCP). It is this enterprise-wide BCP (planning for continuity of all critical organizational functions) that regulators and governmental guidelines will focus on. In many cases, it is also a requirement in the business-to-business supply chain management process.

The bad news is that with the transition from DRP to BCP, organizations often overlook the additional complexities that are related to the organization's dependence on both internal and external resources. When it is time to execute the plan, multiple vendors, suppliers and support agencies are needed for successful implementation. Proper planning and coordination of these resources is crucial. If one or more of these resources is not available at the proper time, they significantly impact the plan's success. Remember - your plan is only as strong as its weakest link.

During the traditional DR planning era, recovery focused only on restoring systems and data communications, at best. Therefore, dependencies on resources were limited to those organizations providing products and services to restore the technology, i.e. off-site storage facilities, transportation providers, hardware/software vendors, hot site providers and internal information systems support. In today's BCP environment, with plans encompassing multiple business units, multiple platforms and a broader array of disaster scenarios, the quantity of resources the plan manager must deal with has significantly increased.

The organization needs to identify where dependencies exist in current operations and where they might exist in a disaster situation. To determine these dependencies, the organization must conduct a Vendor/Supplier Dependence Analysis to determine the level of dependence on both internal and external resources.

The process consists of the following steps:

1. Identify all of the organization's vendors, suppliers and support institutions that are required to support the plan.

2. Ensure that critical information is provided for each organization. Such information includes contact names, addresses, phone numbers, pager numbers, email addresses, a description of products or services provided, contract numbers, special instructions, after hours contact information, etc.

3. Categorize the organizations into the type of services or products they provide:

• Emergency Services - Police, fire, ambulance, hospitals, Red Cross, FBI, FEMA, etc.
• Public Services - Utility providers (electricity, water and gas companies), transportation providers (airlines, trains, taxis), etc.
• Private Sector Providers - Companies with which you may have contractual agreements. This includes alternate recovery facilities or Hot Sites, off-site storage facilities, hardware/software vendors, data and voice communications vendors, equipment providers, mobile recovery providers, outsourced processing facilities, travel agencies, temporary personnel agencies, trauma counselors, mail services, realtors, phone companies (land and cellular), contractors, engineers, security agencies, forms providers, alternate email providers, etc.

4. Categorize each resource as either an internal or external resource. Internal resources are services or products provided by a department within the organization, e.g. Information Systems support or mail delivery. An outside company or agency (e.g. phone service provider or power company) provides external resources.

5. Determine your level of dependency with each provider as it relates to executing your plan and recovering your mission critical functions. The following can be used as a guideline. The actual levels and descriptions may vary based on your organization.

Keep in mind that based on the disaster's type and magnitude, dependence levels and requirements may change dynamically.

6. Establish provisions for those providers that fall into the DL1 and DL2 categories. You must ensure that they are able to provide you with the service or product once you activate your plan. This may include entering into a contractual agreement with the provider if you are not currently under contract, establishing a service level agreement (SLA) or obtaining some other bonding agreement.

7. Determine the interdependencies between the required resources. For example, the alternate recovery facility is a critical resource:getting to the facility, however, requires transportation.

8. Determine at what point during the execution of your plan the providers will be needed. This is where coordination of vendors and supplier coordination is critical. Some services may be required immediately after the event, i.e. transportation, alternate sites and restoration services. Others may not be required until later in the process, based on the event's magnitude and duration. You want to avoid wasting valuable time and resources contacting providers and getting them involved if you do not actually need their services. In some instances, it may be feasible to provide an alert status to the provider prior to the actual disaster declaration.

9. Know your provider's recovery plan. If your organization is highly dependent on a provider, it is important that you know what their recovery plan consists of and how their products or services would be provided to you during an interruption. Bear in mind that all companies may not want to comply with your wishes due to confidentiality concerns. At the least, you should obtain a written report stating when you could expect the services or products that they provide for you.

10. Establish contingencies for the critical providers in the event that they are not able to deliver when expected. Examples may include having

• Alternate transportation available, if airlines are grounded.
• Duplicate copies of your backups stored in separate locations, in the event that you cannot obtain access to one set due to road destruction or the area being evacuated.
• Cellular phones available for critical personnel, in the event that land lines are down.

11. Document and incorporate the above contingency procedures into your business continuity plan and make them part of your testing and maintenance philosophy.

Tom Williams is the manager of business recovery consulting for Centurion Disaster Recovery Services (Angola, IN). He can be reached at 800-299-4411 or via e-mail at towilliams@jackhenry.com.