Every business and organization can experience a serious incident that can prevent it from continuing normal operations. This can range from a flood or fire to a serious computer malfunction or Information Security incident.
The management of the organization have a responsibility to recover from such incidents in the minimum amount of time, with minimum disruption and at minimum cost. This requires careful preparation and planning.
By outlining the most common steps in contingency planning and disaster recovery, as well as identifying popular tools and solutions, hopefully this web site will help make this process far less daunting.
It is vital that the organization takes the development and maintenance of the disaster recovery or business continuity plan seriously. It is not one of those tasks that can be left until everyone has time to deal with it. A serious incident can affect the organization at any time and this includes the next 24 hours!
The contingency plan needs to be developed by a team representing all functional areas of the organization. If the organization is large enough, a formal project needs to be established, which must have approval and support from the very top of the enterprise.
One of the first contingency planning tasks to be undertaken is to prepare a comprehensive list of the potentially serious incidents that could affect the normal operations of the business. This list should include all possible incidents no matter how remote the likelihood of their occurrence.
Against each item listed the project team or manager should note a probability rating. Each incident should also be rated for potential impact severity level. From this information, it will become much easier to frame the plan in the context of the real needs of the organization.
Once the assessment stage has been completed, the structure of the plan can be established. The plan will contain a range of milestones to move the organization from its disrupted status towards a return to normal operations.
The first important milestone is the process which deals with the immediate aftermath of the disaster. This may involve the emergency services or other specialists who are trained to deal with extreme situations.
The next stage is to determine which critical business functions need to be resumed and in what order. The plan will of necessity be detailed, and will identify key individuals who should be familiar with their duties under the plan.
Once this plan has been developed it must be subjected to rigorous testing. The testing process itself must be properly planned and should be carried out in a suitable environment to reproduce authentic conditions in so far as this is feasible.
The Plan must be tested by those persons who would undertake those activities if the situation being tested occurred in reality. The test procedures should be documented and the results recorded. This is important to ensure that feedback is obtained for fine tuning the Plan.
Equally, it is important to audit both the plan itself, and the contingency and back up arrangements supporting it. No short cut can be made here.
This stage is dependent upon the development of the plan and the successful testing and audit of the plans activities. It is necessary that all personnel must be made aware of the plan and be aware of its contents and their own related duties and responsibilities.
Again, it is important that all personnel take the disaster recovery planning seriously, even if the events which would trigger the Plan seem remote and unlikely. Obtain feedback from staff in order to ensure that responsibilities and duties are understood, particularly those which require close dependency on actions being taken by others.
The plan must always be kept up to date and applicable to current business circumstances. This means that any changes to the business process or changes to the relative importance of each part of the business process must be properly reflected within the plan.
Someone must be assigned responsibility for ensuring that the plan is maintained and updated regularly and should therefore ensure that information concerning changes to the business process are properly communicated.
Any changes or amendments made to the plan must be fully tested. Personnel should also be kept abreast of such changes in so far as they affect their duties and responsibilities.