Navigating Through a Catastrophic Disaster: The Five Most Common Mistakes in Business Continuity Planning
As we send our thoughts and prayers to the Japanese people, many of us are also reflecting on our preparedness to respond to natural disasters. The notion that one of the most sophisticated and prepared nations is crippled by the recent earthquake highlights the need for a well thought out Disaster Recovery Plan (DRP).
Anyone who has ever worked with a DRP would tell you that it’s a massive effort that requires detailed planning. Below are the five most common mistakes organizations make when planning for disaster recovery.
Mistake #1: Insufficient Testing of Plan
Although many organizations have a DRP in place, many often fail to test it. The ultimate goal of any DRP is a quick and efficient response to incidents that may impact the organization’s personnel, operations, and ability to deliver goods and services. Periodic comprehensive testing is the only way to meet this goal.
The frequency of testing varies from organization to organization. As a best practice, we recommend that testing be performed once every 6 months. Testing should at a minimum include roundtable discussions simulating a disaster, but ideally should include test recoveries by operations personnel at designated hot sites, warm sites, or cold sites depending on the risk level identified by the organization.
Mistake #2: Lack of Buy-In
Contrary to popular belief, an effective DRP is never specifically limited to the IT department. It’s important for companies to perform a thorough analysis of all the different business areas within the organization. Representatives from each department must come together and evaluate the criticality of the different business processes. This provides an opportunity for each department within the organization to assess its direct or indirect impact to the organization and other departments. Only through participation by all key stakeholders can an organization achieve full and total buy-in from all parts of the organization – a key requirement in ensuring an effective execution of the plan when disaster strikes.
The common misunderstanding that IT should be responsible for the BCP/DRP likely stems from the best practice of needing a single point of contact. As important as it is to get everyone involved and achieving enterprise wide buy-in, it’s equally important to appoint a single point of contact to take ownership of the DRP. Why? Because this is the best way to ensure tasks such as updates and testing occur as scheduled. The appointed individual should have a very good understanding of the business processes of the whole company, not just one department.
Mistake #3: Prioritization & Accountability
When a serious catastrophe occurs, it might not only affect the company but also be the local community and the nation. This may cause unexpected delays in actual response time.
Each department should perform a high-level risk assessment to establish a target timeline of recovery for critical areas. These target timelines should then be incorporated into the DRP to properly prioritize recovery tasks and ensure recovery efforts are prioritized and realistic to resource constraints. Once these time objectives are established they should be further evaluated by each department within the company to ensure each group is in agreement with what they’re accountable for. Similar to the DRP itself, these time frames should be periodically reassessed, tested, and approved on an at least annual basis.
Mistake #4: Financial Impact
An important factor to take into consideration when developing the DRP is a realistic budget. Many organizations make the mistake of including the disaster recovery budget in the annual IT strategic plan/budget. As we’ve established, in the event of a catastrophe, IT is not the only area that will be affected. Additional resources will have to be purchased and allocated across the organization as a whole. The budget should not only include funding in the event of a disaster, but also include the cost of planning, testing, and maintaining the plan. It’s also critical to maintain a reserve fund to budget for the worst possible scenario to ensure the organization will truly be prepared for the worst.
Mistake #5: Using the Cloud
Many companies have started to virtualize their networks by turning to cloud computing. This option is often beneficial and in fact very popular for disaster recovery purposes. Once networks have been placed on the cloud, the basic requirements for an organization to recover from a disaster are a safe and functioning physical facility and a reliable Internet connection between the company and the service provider.
However, as beneficial as cloud computing can be for disaster recovery purposes, organizations must understand that outsourcing also brings with it considerable risks. Managing the vendor and selecting a reputable provider are crucial to ensuring quality availability and security. Organizations should also ensure redundancy exists in the connection to the provider. Most importantly, companies must take ownership of the vendor relationship and assess the quality of the provider’s processes and controls. For example, a redundant or backup disaster recovery provider may need to be contracted if the current provider does not provide a failover site during downtime or outages.
Cloud computing does not replace a DRP. On the contrary, a formal DRP still needs to be developed to include the details of how to recover the business while using the cloud. Representatives from each department still need to be involved in the planning process and disaster recovery testing should still be performed in a cloud environment.
In Conclusion
The recent disaster in Japan was a tragic event but a critical reminder of how important well-thought-out DRPs are. As we all continue to keep the victims of the disaster in our thoughts and prayers, we should also apply this lesson learned, in their honor, in raising the preparedness of our individual organizations to respond to nature’s call.
Anyone who has ever worked with a DRP would tell you that it’s a massive effort that requires detailed planning. Below are the five most common mistakes organizations make when planning for disaster recovery.
Mistake #1: Insufficient Testing of Plan
Although many organizations have a DRP in place, many often fail to test it. The ultimate goal of any DRP is a quick and efficient response to incidents that may impact the organization’s personnel, operations, and ability to deliver goods and services. Periodic comprehensive testing is the only way to meet this goal.
The frequency of testing varies from organization to organization. As a best practice, we recommend that testing be performed once every 6 months. Testing should at a minimum include roundtable discussions simulating a disaster, but ideally should include test recoveries by operations personnel at designated hot sites, warm sites, or cold sites depending on the risk level identified by the organization.
Mistake #2: Lack of Buy-In
Contrary to popular belief, an effective DRP is never specifically limited to the IT department. It’s important for companies to perform a thorough analysis of all the different business areas within the organization. Representatives from each department must come together and evaluate the criticality of the different business processes. This provides an opportunity for each department within the organization to assess its direct or indirect impact to the organization and other departments. Only through participation by all key stakeholders can an organization achieve full and total buy-in from all parts of the organization – a key requirement in ensuring an effective execution of the plan when disaster strikes.
The common misunderstanding that IT should be responsible for the BCP/DRP likely stems from the best practice of needing a single point of contact. As important as it is to get everyone involved and achieving enterprise wide buy-in, it’s equally important to appoint a single point of contact to take ownership of the DRP. Why? Because this is the best way to ensure tasks such as updates and testing occur as scheduled. The appointed individual should have a very good understanding of the business processes of the whole company, not just one department.
Mistake #3: Prioritization & Accountability
When a serious catastrophe occurs, it might not only affect the company but also be the local community and the nation. This may cause unexpected delays in actual response time.
Each department should perform a high-level risk assessment to establish a target timeline of recovery for critical areas. These target timelines should then be incorporated into the DRP to properly prioritize recovery tasks and ensure recovery efforts are prioritized and realistic to resource constraints. Once these time objectives are established they should be further evaluated by each department within the company to ensure each group is in agreement with what they’re accountable for. Similar to the DRP itself, these time frames should be periodically reassessed, tested, and approved on an at least annual basis.
Mistake #4: Financial Impact
An important factor to take into consideration when developing the DRP is a realistic budget. Many organizations make the mistake of including the disaster recovery budget in the annual IT strategic plan/budget. As we’ve established, in the event of a catastrophe, IT is not the only area that will be affected. Additional resources will have to be purchased and allocated across the organization as a whole. The budget should not only include funding in the event of a disaster, but also include the cost of planning, testing, and maintaining the plan. It’s also critical to maintain a reserve fund to budget for the worst possible scenario to ensure the organization will truly be prepared for the worst.
Mistake #5: Using the Cloud
Many companies have started to virtualize their networks by turning to cloud computing. This option is often beneficial and in fact very popular for disaster recovery purposes. Once networks have been placed on the cloud, the basic requirements for an organization to recover from a disaster are a safe and functioning physical facility and a reliable Internet connection between the company and the service provider.
However, as beneficial as cloud computing can be for disaster recovery purposes, organizations must understand that outsourcing also brings with it considerable risks. Managing the vendor and selecting a reputable provider are crucial to ensuring quality availability and security. Organizations should also ensure redundancy exists in the connection to the provider. Most importantly, companies must take ownership of the vendor relationship and assess the quality of the provider’s processes and controls. For example, a redundant or backup disaster recovery provider may need to be contracted if the current provider does not provide a failover site during downtime or outages.
Cloud computing does not replace a DRP. On the contrary, a formal DRP still needs to be developed to include the details of how to recover the business while using the cloud. Representatives from each department still need to be involved in the planning process and disaster recovery testing should still be performed in a cloud environment.
In Conclusion
The recent disaster in Japan was a tragic event but a critical reminder of how important well-thought-out DRPs are. As we all continue to keep the victims of the disaster in our thoughts and prayers, we should also apply this lesson learned, in their honor, in raising the preparedness of our individual organizations to respond to nature’s call.
