Some people will just jump straight into Disaster Recovery Planning, without considering what they are planning for – how do you categorise a disaster? Who  decides, and what information do they need to make a decision? What parts of your business can continue to operate using other means – that is, what is your business continuity plan?

Business Impact Analysis is the first step

Before you start anything, you need to investigate some parameters around your business. What would happen to your business operations if a disaster happens? You will need to prepare a few hypothetical situations and consider how business would continue to operate in these situations. Then, in a business focus, you should evaluate what the real impact would be to core capabilities of your business – impacts to revenue, products, public and customer reputation, staff and assets.

During this Business Impact Analysis, you will be able to identify how long your business operations can be affected before there is an unacceptable impact to revenue, products, reputation and assets. You may identify that there are some functions which can be unavailable for days or weeks – meaning that you can spend less time and money on these functions. Conversely, you might identify that if your suppliers are not paid, then the impact would be significant – driving you to invest time and money on BCP capabilities for your procurement systems.

Key outputs from the BIA should be a list of functions, Maximum Tolerable Outage, acceptable data loss, financial and other impacts, and a prioritisation.

I have created a BIA questionnaire template here.

READ ARTICLE:   Sizing your vSphere hosts

Disaster Recovery Planning – pre-planning

Whilst it is important to consider  what and how you recover after a disaster, there needs to also be consideration of if you perform a recovery. For example, if your email system is down – will this affect your ability to perform business, and if so, does it require that disaster recovery is instigated and hence all other systems that interact with email are also recovered? This needs to be considered for your business needs and your consumption of IT services. Here are some key questions that you need to consider before starting on your DR planning;

  • Who will do the recovery? If your existing experts are not available, is there sufficient documentation of key items like customisations, passwords and security related procedures, interactions with other systems? Do not underestimate the knowledge held by your staff – there is information that they may think is shared or common knowledge, but it could be unique and specific.
  • Where is your recovery location? Not just for your servers and services, but also for knowledge workers – do they have a computer, do they know how to use it (different OS version or productivity tools – even drive letters or shortcuts). Is there any special configuration that is needed to change (VPNs, new server names and IPs, SSL certificates), including for home/remote users? What about desk space, phones, photocopying or printing, parking and security access?
  • How do you communicate to customers? How will they be able to access your services?
  • When you recover, will you be operating at disaster load or full production load? That is, will you accept slower processing times? Will all of your systems be available, and if not all, do your staff have work arounds or will they waste time trying to use systems that are not planned to be recovered?disaster1
  • Have you considered backup of data when you have recovered? If your systems are running in a DR location and business is back up and running, is new data being backed up? What about data (and orders, customer interactions etc) that occurred during the disaster outage?
  • What are the timelines? Who makes a decision, and how do you contact them? What information does the decision maker need in order to evaluate if a DR failover is required or if in-place recovery of a system is more appropriate? How long will it take to mobilise people?
  • What will you do if your DR site is unavailable – what if the disaster also affects your Internet provider, your power company, your phone (including cell/mobile provider), the ability of your staff to get onsite? If the incident is a disease outbreak, schools will be closed so parents will be at home, and many other staff may not be willing to expose themselves – is there a backup person for your backup person?
  • Have you considered the time it takes to recover from backup media such as tape? Can you restore more than one system at a time, and what is the priority order for the recovery (based on dependencies). Is is quicker to re-install an application on a bare server, or recover the entire server including operating system?
  • Where are your documents and keys stored? If you need passwords, are these secured? Is authorisation needed for recall of tape media, and does the off-site backup media location know the location of your recovery site and will they deliver there? Do you have installation media for application software if it is going to be re-installed – what about license keys, activation etc.?
READ ARTICLE:   The importance of understanding corporate culture

It’s not a full list, but I frequently encounter businesses who have not considered the wider picture of DR planning.

Please post comments or share your stories below.

Related posts:

Activity Based Working is not provided by IT
Bring Your Own Device policy risks
Obvious PCI-DSS benefits
My leadership style
Share this knowledge