Disaster Recovery and Business Continuance: Best Practices for IT

RFG’s Information and Resources Center on disaster recovery includes several past Research Notes that provide guidance concerning specific issues, offerings, and vendors. This Research Note updates and expands on some of that information, and offers guidance on how best to approach four key pillars supporting every effective DR/BC strategy. These include:

• comprehensive plans, including methods and resources for their frequent testing and refinement;
• compelling justifications for such plans and their execution;
• constituent buy-in at every level of the enterprise;
• and well-managed vendor roles.

What Constitutes an Effective DR/BC Plan?

Every enterprise needs an IT infrastructure that can recover as quickly as possible from serious disasters and be resilient in response to successful threats. Various technological solutions, ranging from “hot spare” servers and redundant data centers and power supplies to personal firewall and anti-virus tools, can play important roles in delivering such an infrastructure.

However, technologies alone cannot assure effective and successful DR/BC strategies. Such strategies must address personnel, procedures, and technologies to deliver maximum business value. Specifically, effective DR/BC strategies must be supported by plans that address needs for rapid restoration and continuance of personnel roles, business procedures, and critical technologies, in that order. Without people to operate them and procedures to guide those people, the most sophisticated DR/BC technologies available are of little to no value.

IT executives should work closely with line of business (LOB) managers, senior executives, and key users within their enterprises, to identify and prioritize the staff positions and business procedures most critical to rapid restoration of business operations after a disaster. These positions and procedures should be identified as specifically and completely as possible in the enterprise’s DR/BC plan. Figure 1 below provides a sound starting point for determining the list of specific elements each enterprise’s DR/BC plan should address in these areas.

Source: Robert Frances Group

In addition, business application profiles (BAPs) and user application profiles (UAPs), or their equivalents, should be expanded to include relevant DR/BC information. They should also be used to help DR/BC planners choose and prioritize the people, procedures, and technologies most critical to rapid, successful response to disasters. Not all resources require the same level or timeliness of protection, and different scenarios may require different time frames for implementation of DR/BC solutions and/or return to normal operations.

Perhaps most important to sustained DR/BC success, effective DR/BC strategies and plans must require and support frequent testing and refinement of underlying scenarios and assumptions. At the very least, every significant change in business or IT infrastructure a new application, new server or storage platforms, or newly acquired or merged business units should trigger testing and possible refinement of an enterprise’s DR/BC plan.

Compelling DR/BC Justifications

To obtain adequate support and resources to create and maintain effective DR/BC plans, IT executives and their colleagues will likely need to justify DR/BC activities and investments to affected constituents and funding providers. Fortunately, at least in some senses, current conditions offer several compelling justifications for developing DR/BC strategies and plans that effectively address the key areas of concern discussed above.

Disasters can result in outages that range from hours to days or weeks. This can result in losses in revenue and productivity that can reach tens of millions of “hard” and “soft” dollars, particularly at enterprises highly reliant upon IT-enabled financial transactions. IT executives should work closely with their business-focused colleagues to quantify such potential losses as completely and accurately as possible.

Beyond lost revenues and productivity, sufficiently disastrous disruptions can threaten an enterprise’s very existence. According to some industry-watchers, as many as 20 percent of companies that experience serious, sustained disasters go out of business completely within 24 months of such events. Such harrowing potential eventualities should motivate IT executives to ensure their DR/BC plans identify all potential failure points in their enterprise infrastructures, and focus on protecting and/or avoiding these in case of a significant disaster.

In addition, regulations are increasingly compelling companies, particularly those in specific industries, to implement effective DR/BC strategies and plans. Examples include the Federal Thrift Supervision Act for financial institutions and the Health Insurance Portability and Accountability Act (HIPAA) and related regulations for enterprises involved in health care and insurance. Anticipated “Homeland Security” initiatives are expected to impose similar requirements on utilities and transportation companies, and perhaps other types of business as well.

Further, corporate liability insurance rates are increasingly likely to be affected positively when DR/BC solutions are implemented, and negatively when they are not. IT executives should work with legal and insurance experts within their organizations, to identify and respond to any regulatory or other financial incentives to implement effective DR/BC plans at their enterprises.

IT executives should also not overlook the desire of their enterprises’ senior executives to avoid what some industry wags call “CNN moments.” As amply demonstrated by outages at Amazon.com, Inc., Charles Schwab & Co., Inc., eBay, Inc., Merrill Lynch & Co., Inc., and elsewhere, such moments can be embarrassing to executives and financially damaging to their companies.

Taken together, these and other justifications and evolving market conditions point to an inescapable conclusion. While other IT initiatives may be desirable, effective DR/BC strategies and plans are absolute essentials, from both IT-centric and business-focused perspectives. IT executives should work diligently to make this clear to any at their enterprises who may be able to affect availability of resources to support such strategies and plans. IT executives who cannot demonstrate the potential costs to their companies of ineffective or no DR/BC efforts may find it difficult or impossible to gain the support DR/BC initiatives need to succeed.

Complete Constituent Buy-in

Once initial plans are in place and effective justifications identified, IT executives and their colleagues should strive to ensure support for their DR/BC plans among all key constituencies. At most enterprises these will include the IT team itself, senior corporate and LOB executives, and users. As part of their efforts to garner support from all quarters, DR/BC plans should be published and widely disseminated, so everyone knows what is possible, what’s at stake, and the potential costs involved.

With IT team members, attempts to solicit support should focus on the ability of effective DR/BC strategies to result in greater business value and alignment for IT. This can result in opportunities for IT staff members to enjoy increased perceived value at their organizations, and to achieve personal and professional growth in their jobs.

With senior corporate and LOB executives, attempts to garner support should focus on business benefits, including more reliable and responsive operations, and on the specter of lost revenues if effective DR/BC strategies are not supported. Such efforts should also include frequent solicitations of input and feedback from these constituents throughout the DR/BC planning process.

Where users are concerned, the prospects of continued, consistent productivity with minimal disruptions can prove persuasive. As with LOB and senior executives, IT executives can increase support from users by soliciting their input and feedback throughout the development of DR/BC plans, and during testing and significant refinement of those plans.

The Role of Vendors

Vendors can play important, valuable roles in helping enterprises develop and execute effective DR/BC plans that integrate tightly with business processes and goals. However, IT executives and their DR/BC colleagues must work together carefully, to determine whether and where best to engage the help of vendors. This is especially true when DR/BC plans include reliance on vendors for outsourced services, which may need to be invoked quickly and under duress in the face of a sufficiently significant disaster.

Specifically, IT executives and their colleagues should identify their key and critical vendors, and include those vendors in the DR/BC planning and strategy development. IT executives should ensure that key requirements are spelled out explicitly in all contracts, and are agreed to by all parties. In addition, candidate critical vendors should also be fully vetted, to confirm that they have the capacities they claim. Several enterprises suffered in the aftermath of events on Sept. 11, 2001, when their chosen outsourcing vendors oversold claimed capacities.

Beyond the above, IT executives and others leading the DR/BC charge at their enterprises should cautiously and selectively focus their attentions on vendors that have demonstrated the ability and willingness to act as trusted advisors. Figure 2 lists some of the specific indicators for which IT executives and their DR/BC colleagues should look for in their candidate vendor partners.

Source: Robert Frances Group

RFG believes IT executives can and should lead proactive, comprehensive efforts to implement, execute, and manage adequate DR/BC plans at their enterprises. Nothing less than the very health and viability of those executives’ enterprises is at stake. If IT executives can develop effective plans, then form alliances with LOB and senior managers, users, and appropriate vendors, they and their enterprises will be rewarded with more reliable and resilient IT and business infrastructures.