A number of studies have been conducted over the years regarding Disaster Recovery (DR) planning and it’s importance to business. These studies increased ten fold in the wake of 9/11 and the results were consistent- “it’s not will you need a disaster recovery plan, it’s when.”
The statistics above clearly demonstrate that businesses need a DR plan, ideally one that addresses both business and IT because they can result in different scenarios. Unfortunately, despite the wealth of information regarding the importance of DR planning, 30-40% of all IT organizations do not have a DR plan nor do they know how to properly use the one they have.
Don’t launch a DR plan planning exercise without engaging the right people
The first step in the DR planning process is to engage with the business leaders to gain buy-in and support for this process. Most companies launch a full blown DR planning effort without realizing that development of a DR plan is a complex and invasive project that can take many months or even years to complete depending on the size of the company. The project demands significant time and involvement from the organization; valuable resources that are almost always in short supply causing projects to either fail or be deferred.
The Interim DR Plan
A key to succeeding in the establishment of a DR plan, that is both functional and provides a solid foundation for subsequent revisions to the plan, is to start small and evolve to a plan that is specific to the needs of the organization. In DR terms this is usually called an “Interim DR Plan”. An Interim DR plan covers the basics of a particular DR scenario (such as the complete loss of the data centre) and identifies the necessary information and processes to recover the key systems needed to continue to operate the business.
The importance of reviewing your plan
An Interim DR plan is critical to the development of a comprehensive DR plan. Once the Interim DR plan has been established and tested, a review of the assumptions used in its creation should be conducted. This review must involve the business and IT teams to identify the risks associated with each assumption. As a result, the IT group can cost the necessary mitigation strategies and the business and IT can then review and agree on how to deal with gaps for the next iteration of the DR plan. This iterative process should continue for some time in order to provide the necessary flexibility to the business and IT regarding costs, resource demands,and execution.
The final critical piece of a DR plan is related to awareness and continuous improvement. Once created, the DR plan is a living document that needs review and update. There were a number of businesses during the 9/11 disaster that had DR plans but whose plans were out of date because they did not follow a continuous improvement model and the plan was, in the end, useless. The organization, the vendors, partners and customers all need to be aware of the plan and they need to be involved in ensuring it is maintained.
Regular testing for effectiveness of the plan
The plan is only as good as its’ last test. DR plans should be tested yearly (or more frequently, if possible) as this provides feedback on the effectiveness of the plan and identifies gaps that may be present and must be mitigated in the next revision.
- 40% of businesses surveyed tested less than once a year and another 40% of those surveyed did not do a complete test of the plan.
The IT DR plan will be a long term and complex undertaking that has proven to be an absolute requirement for business success. Start it modestly, covering the absolute basics to keep the business running; update it every year with a complete review and conduct a full test; communicate the plan to everyone inside and outside the company and evolve it through an iterative process that uses the DR test as a feedback process for the next revision of the plan.
Written by Greg Stopelli, Senior Associate at Litcom.