subject: Isn't It Time You Started Your Business Continuity Plan? [print this page] Disaster Recovery Planning Disaster Recovery Planning
To help identify what services would be required (and when), it is recommended that a full contingency plan be developed and tested to ensure business continuity. The following key areas should be completed to ensure that the Business Recovery Plan is effective in all circumstances.
Threat Assessment
Firstly, you will need to decide on the disaster scenarios that you wish to protect against. It should also be remembered that prevention forms a very important part of the pre-planning phase, and any areas needing to be improved should also be highlighted at this stage. The provision of a Disaster Recovery service is usually intended to cover, but not limited to, the following scenarios.
Loss of power
Loss of computer equipment
Loss of communication equipment
Loss of Computer room
Total loss of a facility
There are many other disaster scenarios that need to be considered to satisfy that all aspects have been explored. Some of these are non-physical disasters or environmental side effects such as bomb warnings, adverse weather conditions or loss of access to the building caused by a localised incident. It is recommended that you carry out a full Threat Assessment to enable all possible scenarios to be considered.
Business Impact Review
It is both impractical and extremely expensive to deliver 100% capabilities immediately following a disaster situation (particularly with regard to office facilities). It is therefore recommended that a Business Impact Review be carried out to gain a full understanding of the impact to the business, should a disaster situation arise. This will enable you to prioritise recovery procedures for short, medium and long-term recovery periods.
Standby requirements
Once a full understanding of the Threats and the likely impact has been evaluated, it is then possible to determine exactly what standby requirements are needed. These can fall into several areas, such as;
Computer equipment
Communications equipment
Desk top equipment
Printing facilities
Desk space
Voice provision
Standby power
The benefit of this exercise is that the timescales for the provision of each of these services can also be determined.
Disaster Contingency Plan
Once the above requirements have been satisfied a Disaster Contingency Plan can be constructed. At this stage it is extremely difficult to put a time scale on the development of the plan, but experience shows that somewhere between 5 and 10 days should be sufficient for most small companies. A more accurate estimate can be made after stages 1, 2 & 3 have been completed.
The plan should include the following sections.
When to use the manual
How to use the manual
What to do in the event of a disaster
How to recover
Where to find things
Standby facilities
Emergency instructions
Directories
Disaster Contingency Plan Testing
Once the plan is written it is essential to test its effectiveness. Many plans are written and left on the shelf until needed; needless to say, this is not the best time to test a plan! (over 90% of plans do not work first time!). This test will form part of the disaster recovery service, and full use should be made of the time available. The test will normally fall into two main parts.
a)Logistics i.e. getting the equipment and people to site.
a)Restoration of services i.e. application building, data restore and testing prior to delivering a live service.
It may be advisable to break the test into two halves in the first instance to minimise the impact on the day to day business. It is rare to conduct a full blown test involving all staff likely to be affected by a total disaster situation, but it is possible to satisfy the business that a plan has a very high probability of success, and that no areas have been left to chance.
Change Control
As with any document of this importance, good change control procedures are essential. As business requirement change the plan must be amended to reflect this. Standby systems may need to be updated, telephone numbers may need to be changed, and even the impact to the business may change. The main plan should include procedures for change control to cover every eventuality.
