|
THE RELATIONSHIP BETWEEN DISASTER RECOVERY AND BUSINESS CONTINUITY
OISASTI!RRECOVI!RY!DR;- the mere mention of this term conjures up images of the aftermath of the catastrophic events of 9-11, the 2003 NewYork Blackout and Hurricane Katrina. From a business perspective, the term means one thing- the ability of a business to recover and restore the functionality of its information infrastructure following a disaster.
Consider this scenario: The phone rings on a Saturday night. A crisis has just occurred and your business is in jeopardy. Are you destined to react to this crisis or are you prepared to respond to it? The difference between merely reacting versus responding lies in the planning. To react is to determine a course of action at the worst possible time- during the crisis, with no pre¬ thought plan or processes in place; to respond implies a well¬ organized, planned solution that simply requires execution. This whitepaper is designed to show you how to effectively respond to crisis situations instead of simply reacting to them.
To simply react to a crisis it to attempt to construct a course of action on the fly; to respond implies a well-organized, planned solution.
Clearly, pre -planning a recovery strategy is critical to a business's ability to respond to a disaster situation. But while the majority of DR solution providers focus on the assets that make up the IT infrastructure- such as servers, applications, databases and networks- few take into account the business process side of disaster recovery,which ensures the all¬ important ability to maintain business continuity.
St/SINESSCONTINtJITY!BC/ provides an enterprise the ability to effectively and efficiently recover and restore businessfunctionality to suitable pre-disaster levels so the operation can continue to serve its customers. Examples of business continuity include: restoring the operational
functionality of the sales department customer service, warehouse operations and the accounting department.
As a leader in the area of business continuity planning, Canvas Systems has developed an effective planning methodology that has helped businesses better prepare for the likelihood of a disaster and ensure minimal business impact.
The Canvas Systems BusinessContinuity Plan for Rasponding to Disaster Situations is made up of three components:
- Understanding and Assessing Your Business Risks
- Determining the Components of Your Business Continuity Plan
- Performing Ongoing Management and Testing
This whitepaper provides information on these three essential steps that business managers must employ to effectively prepare for disaster-related events that can disrupt business operations.
UNDERSTANDINGANDASSESSING YOUR BUSINESS RISKS
As any business manager knows, having a good business plan is a critical component to the success of achieving sales growth, market penetratioll, and/or industry leadership.
Having a business continuity plan is just as important. Before developing this plan, a company must understand all the risks that may impact the business. There are three questions that should be asked when trying to understand and assess risk:
- What risks do we face?
- Are we compliant?
- Where are the gaps?
What risks do wefaQQ?
This question deals with risk identification and mitigation or resolution. As the insurance industry often says, 'The best disaster is the one that never happens:•There is a lot less risk and anxiety - and a lot less cost- involved in taking the steps to prevent a disaster than there is to reacting to one after it happens. A big part of preventing a disaster is identifying the primary potential risks that may impact the business and mitigating those risks that are controllable.
Therefore, as part of the assessment process, business planners must determine the specific risks that the business faces, including elements that can be controlled by management and those that cannot.
Risk identification should include the following:
- External Factors -What are the factors in the external environment that are out of management's control, but could have a major impact on business continuity? Is the business located in a disaster-prone area? Are there
seasonal hurricanes, periodic earthquakes, severe weather
conditions, frequent power outages, or risks of flooding? Is the business in a high crime area?
- Internal Factors- What factors can be controlled if management's attention is drawn to the risks? Have there been security issues with information systems? How well does the security system protect entrances, doors, passageways and the Data Center? Does the HR department perform thorough background checks on all new employees?
- Variable Factors - Are there any laws or regulations that need to be considered, such as federal regulations that hold businesses liable for protecting confidential information? How solid are the company's current disaster recovery plans?
Having a detailed risk identification and assessment plan can also save money.Without it, businesses may spend more for business continuity than necessary. For example, a well¬ meaning IT manager may decide to sign a multi-year contract with an expensive hotsite DR provider, but that may not be the most cost-effective solution for that particular business and its risk factors.
ArQ WQ compliant?
Regulatory compliance is a component of a business continuity plan for companies, especially those regulated by federal legislation.
A rapidly growing number of government and industry regulations exist today, many with detailed requirements for safeguarding sensitive business information in the event of a disaster. In most cases, affected businesses are required to perform periodic risk assessments and disclose any potential liabilities that are uncovered. These disclosure provisions have been interpreted as a requirement to assess and disclose a company's businQSS continuity capability. Two specific federal regulations that contain this stipulation are:
The SarbanQs-OxiQy Act of2002,which impacts all publicly¬ traded U.S.firms.Sometimes referred to as SOX, this act regulates accurate reporting of financial metrics and the establishment of appropriate safeguards to ensure the safety and accuracy of data.
The act also introduced requirements to perform risk assessments and to disclose any risks that are found.
The HQalth lnsuran"" Portability and Accountability Act of 1996 (HIPAA), impacts all healthcare organizations within the U.S. that have access to patients'medical data. This regulation includes a provision requiring business continuity capabilities to assure a continuing ability to produce patients'records and information when requested.
A Gap Analysis represents the differences between what you believe you have as compared to what you actually have
Any business that falls under one of these two categories must maintain compliance with the applicable regulatory requirements. The only way to ensure complete compliance is to integrate a regulatory assessment as part of the overall business continuity planning process.
WhQrQ arQ thQ gaps?
The risk assessment step exposes the differences between business continuity expectations and the actual measured assessment results. This is called a Gap Analysis. It evaluates
what the company bQiiQVQS it has in comparison to what it
actually has.
For example, if the sales department believes that its internal processes can be back up and running within 24 hours following a disaster, but the IT department assessment has determined that the information infrastructure cannot support those activities until 72 hours after a disaster, then the Gap Analysis wi II show a gap of 48 hours. For most businesses, this would be a significant and unacceptable differential in maintaining business continuity.
A Gap Analysis can provi de a road map of where the company needs to go and the specific goals that must be reached in order to match needs with capabilities. Most important, a comprehensive Gap Analysis outlines a game pi an for getting the business fully operational after a disaster.
DETERMINING THE COMPONENTS OF YOUR BUSINESS CONTINUITY PLAN
Once the risk and threat assessments have been completed, the next step in the business continuity planning process is toconstruct a step-by-step guide that the business will need to follow in the event of an actual disaster.
There are four components to building this plan:
- Business Impact Analysis
- Strategy and Solution Design
- Plan Development and Implementation
- Crisis Management Planning
Business Impact Analysis
To prepare for the restoration of business functions after a
disaster, a business must know the potential impact that the
event will have on each department and its cumulative effect
on the overall business. This is accomplished by conducting
a business impact analysis.
A critical component to developing a business impace analysis is to
build a consensus amont the various deparments.
A key result of this analysis is building a consensus among the various departments that would be involved in restoring the core business processes after the disaster. No single department can know all the details necessary to bring a multi-departmental, multi-organizational business back up and running after such an event. Since each department knows the intricacies of how it functions, it is imperative that the departments come together to share information and determine important issues such as prioritization, budget
control, communications and overall effectiveness, in ways that will best serve the overall needs of the enterprise.
The process of consensus building also provides a unique perspective allowing department managers to grasp higher level business issues beyond their own limited view. A business impact analysis also complements the business continuity planning process by uncovering:
Financial Impacts – What is the financial impact to the business resulting from a disruption? Which areas would have the most or least impact? Could the business save money by restoring certain departments first instead of all departments simultaneously? What would be the financial impact of that decision? Through these types of discussions, the business can better analyze the financial impact of the disaster and design the most cost-effective post-disaster strategy.
Operational Impacts – The impact of a disaster can also be measured from an operational perspective. For example, if a call center is accustomed to receiving one thousand calls a day, how many calls would the company be able to take if the call center was destroyed? Can these operations be quickly transferred to other areas? What would those alternatives be and what would be the impact on the business?
Organizational Impacts – This involves looking at the organizational structure and the changes necessary to provide business functionality after a catastrophic event. What managers have the most qualified leadership capabilities? Who is best equipped to take charge? What departments can shift duties and take on either new, different, or expanded responsibilities? Who can best build a consensus during a crisis?
The graph below in Figure 1 shows the typical impact escalation scope.
Once the business impact analysis has uncovered all of the business issues and requirements, the next step is to take that information and construct a formal strategy and design.
StnstQgy and OQsign
During the strategy and design process, it is not uncommon to arrive at more than one beneficial design, each with its own unique cost structure and timeline.Successful executives like to make the best possible business decisions by having all of the facts in front of them.
During this stage, strategic options are reviewed, financial tradeoffs are compared, additional options of present strategies are considered and cost/benefit evaluations are made. In other words, can the organization live with more risk in certain areas in order to create a more affordable approach that will yield, say, 80 percent of what may be needed? The results of the process are then presented to the executive team and a final business continuity strategy is selected. This strategy also defines the timelines that the plan must meet to accomplish the restoration of critical business functions.
As part of the consensus building exercise conducted in the initial business impact analysis stage, each department head and the top executives played an integral role in the business impact study. As part of their participation, they have become stakeholders- and buy-in participants- in every part of the process, including the financial considerations and consequences. Using funding as part of the design phase is much more effective than presenting strategies and then having to solicit funding later.
The illustration below in Figure 2 shows the relationship between costs and recovery options over time.
Figure 2: Recovery Option Analysisand its Rekuion toCost¬ The kuter the time necessary to recover from ad isoster, the greater the solution cost will be to the business.
Plan OQVQiopmQnt and lmpiQmQntation
The Plan Development and Implementation stage is best described as the brick and mortar of the strategic plan.
During this phase, the details of the recovery are worked out and procedures are determined to implement the strategic design plan for each department. The details of the business unit and IT recovery are all determined. Logistics are also decide
Some of the questions addressed during the plan development and implementation stage include: How will critical systems and applications be replaced and restored? How will eBusiness functions be recovered and replaced? How will Data Center facilities be built out? Who are the players that will participate in the recovery and reconstruction and what are their responsibilities? In what order will the recovery and reconstruction of IT and the various departments take place?
Crisis Mana gQmQnt Pia nning
A Crisis Management Plan is developed as an overarching process for responding to any crisis the business may face. In this final stage, the details of how the 'war room'will operate during and after a disaster are determined. Typically, the crisis management team is made up of the departmental managers, representatives from top management and the CEO.
A crisis management plan is not only disasters or'acts of Go
With the preceding steps, the business should have all of the pieces it needs to implement an effective business continuity plan. But the path to success does not stop here- the plan relies on ongoing maintenance and testing to stay up to date and fully functional. The illustration shown in Figure 3
below shows how all the pieces fit together as part of a typical organizational structure for command and control.
ONGOING MANAGEMENT AND TESTING
Let’s face it, change is a part of every business. Organizations change. Divisions are merged or added. People leave and others are hired. Systems and IT infrastructures are replaced. Processes, procedures and business rules are modified. Many companies that experience rapid growth as an integral part of their industry accept dramatic and frequent changes as an
ongoing part of their day-to-day business activities.
Given the prevalence of change, it is imperative to not only keep a business continuity plan up to date, but also to keep the personnel who must implement the plan routinely knowledgeable and prepared.
This is the only way to ensure that the business continuity plan will actually work in the midst of a crisis.
Routine and rigorous testing of the plan is an absolute requirement of success and it can be assured by following these steps:
Step 1: Putting the Plan to the Test A chain is only as strong as its weakest link.
The organization should now have a plan in place that includes solid strategies incorporating the company’s priority business needs. At this stage, testing is critical to practicing and improving the business continuity plan. Like the weak link in a chain, a plan that has not been well tested, maintained and updated will usually fail at the time it is needed most.
Periodic reviews and training exercises are the best way to test the basic principles, requirements and capabilities of the plan. A progressive testing program can also stimulate continuous improvement and provide assurances that everyone identified in the plan is ready.
Through these exercises, the organization can identify where the plan may be off course from initial projections for recovery times and stipulated goals. These tests help identify metrics with which to analyze whether the plan implementation was a success or a failure.
Step 2: Analysis - Using metrics to determine success.
Unfortunately, many testing programs merely test without providing for adequate evaluation and analysis. Often, shortcuts are taken – such as advanced shipping of backup tapes to the recovery facility or setting up call center lines and phones in advance of a test – in an effort to facilitate the test, thus undermining the accuracy of real results.
A responsible executive will want and need to know if the company’s DR and BC plans are truly reliable with accurate test results. He or she will want a foolproof way to know if the
company received any benefit for the time and money invested in the plan and in the test. Is the company better prepared now that a test was completed?
The truth of the matter is that unless specific metrics are built into the test planning, monitoring and results analysis process, it is almost impossible to know. That is why a metrics-based testing program is so important. It is the only way to determine relevant results.
With a metrics-based approach, specific goals and objectives are set for each test component. Relevant criteria are established for how success or failure will be measured or determined as the test progresses. The measurement points of each metric evaluate whether the specific tasks were performed within the time parameter required to meet the overall recovery strategies and objectives. Post-test analysis will identify what went right and what went wrong based on the established criteria. With this data, composite results can be determined and systemic problems identified and corrected.
A metrics-based approach is the only way to know if a test was truly successful and the only way to have true confidence in the company’s readiness and ability to recover from a disaster.
Step 3: Keep plans current and viable. A business continuity plan is not a destination, but a journey.
Most cost conscious executives want to know how frequently their business continuity plans need to be updated in order to ensure success, while, at the same time, saving the business from unnecessary costs. The answer to this question depends on how frequently change occurs within the organization, business environment and industry, as well as external factors, such as the company’s location.
If the company is relatively stable with infrequent changes to the environment, then revisiting the plans annually or semiannually may be sufficient. However, if the business is one that experiences a high rate of change, such as rapid business growth; merger, acquisition, or consolidation; high employee turnover; market volatility; or frequent technology upgrades to its information infrastructure, then more frequent plan updates are recommended. This might mean designating a permanent planning staff or even outsourcing the BC program.
The desire to achieve relavent results should be driven on a metics- based testing program.
In any event, results from the testing program, as well as organizational, operational and technological changes, must be quickly incorporated into the business continuity strategies and plans to keep them effective. This requires a commitment to provide ongoing support for the program. Keeping a commitment to the ongoing testing and review of a business continuity program will help the organization better evaluate what portions of the plan need to be updated as periodic changes take place.
As these testing, analysis, evaluation and modification steps become part of business operations, they will instill a high level of confidence that the business will be able to weather any disaster that may come along, as well as ensure the long-term survival of the enterprise.
SUMMARY
Creating an effective business continuity plan is a critical step to maintaining the lifeblood of a business after a major disaster or crisis. Like any important task, the efforts made at the front end will ensure success at the back end and those efforts will pay for themselves many times over should recovery action ever need to be taken. Being able to assure clients, business partners and employees that the company can continue to provide for their needs even after a crisis or disaster is a priceless business value.
OVERVIEW STATEMENT
With over $100 million dollars in inventory – Canvas Systems is one of the largest, independent suppliers of new and refurbished IT equipment in the world. Our immediate access to IT equipment from the leading manufacturers, such as IBM, HP, Dell, Cisco and Juniper, helps our clients realize significant cost savings of 50-70% off at every stage of the IT lifecycle: Acquire (buying, selling, renting, & leasing equipment), Support (maintenance & disaster recovery/business continuity services),
Remarket (reselling equipment), and Recycle (proper disposal &
destruction services).
Our staff features some of the top certified engineers in the country, all of whom spend their days testing and retesting equipment so they know it inside and out. This expertise allows us to provide a variety of high-end services, including maintenance, leasing and rental, data migration, supply chain
solutions and disaster recovery/business continuity, at rates that are a fraction of those charged by the well-known consulting
firms and service providers.
|
