Disaster Recovery Primer
Introduction
Every now and then, there are companies that go out of business because they have failed to recover from disaster. In most cases, this was a result of poor planning and even due to the management believing such events would never happen. The latest example of disaster we can refer to is the tragedy of the World Trade Centre on September 11th 2001: this is something that no one would have predicted, and certainly not on this scale as it resulted in the total loss of the trading entity it’s self.
Disaster can strike at any time and so often those issues that seem so small can make the highest impact to business failure, particularly to small businesses. As businesses today increasingly rely on the use of computer systems and automated technology, the loss of such equipment can result in severe financial loss and cause a threat to survival. The aim of this article is to help make you aware of potential disasters and how you can prepare for them before it’s too late.
What Is a Disaster?
There are many different definitions for ‘disaster’ but to make it clear in the term that we want to relate to, we can define it as “an event that has occurred unexpectedly with destructive consequences”. Disasters can be put into three main categories:
|
...would a storm put a halt to your business? |
Natural Disasters
· Flooding
· Hurricanes
· Blizzards
· Storms
· Land slides, etc
|
|
...can you replace acts of vandalism instantly? |
Human Disasters
· Theft and criminal damage
· Fire
· Death/poor health/general sickness
· Contamination
· War/conflict/terrorism
· Workplace violence, etc
|
|
...do you have back-up systems? |
Technical Disasters
· Power cuts
· Break down of computer networks
· Gas leaks
· Communication failure
· Cooling/heating/ventilation system failure, etc |
What Can be Lost in a Disaster?
This can be anything that prevents your business from operating for a period of time, or to the extreme, even at all. This can include assets, employees, records, stock, facilities and also suppliers (the disaster does not have to be yours). To make it easier, we can categorise:
· The loss of information e.g. customer details, important telephone numbers, etc
· The loss of access e.g. to an area of the premises, etc
· The loss of use e.g. stock, on-site and future supplies, machinery, PC network, etc
· The loss of personnel e.g. a manager or employee through death or illness, etc
How Can You Prepare: The Disaster Prevention & Recovery Plan
To help you begin preparing, you should ask yourself a few questions concerning, what would happen if...? Do not just think of what could happen in the near future, but also the possibilities of the long term. For example, what if the industry of your business went through a recession in twenty years from now? Also, look at the issues of, say, global warming: will this effect your business? How mould you react to another petrol crisis like the latest in 2001?
When listing potential disasters, the attitude you should not take is, "...it will never happen": nothing is impossible as proved on September 11th 2001.
In order for you to prepare, you should compile a ‘Disaster Prevention & Recovery Plan’ to reduce the risk of such events and minimise the amount of loss that could result. Although the creation of the plan will be detailed to you in more clear steps, it should identify all potential disasters with a view to your facilities, industry and geographical location. It should also outline actions to take before, during and after a disaster has taken place to ensure a quick and cost-effective recovery.
Who Should Get Involved In Making The Plan?
You should include the top-level management (if not yourself) to develop the plan with the assistance of all key functional area managers/supervisors/staff. It would further be advised to use a consultant who specializes in such an area to integrate their expertise into the plan. Employees should also participate as they may identify areas of threat that are unknown to you.
Management should determine the maximum length of time they would expect the business to be disrupted for each case, and the amount of money they are prepared to invest to provide back up for potential losses. The management should also be responsible for prioritizing tasks and actions within the plan and to make sure that they are completed effectively throughout (not forgetting to cover for the loss of the disaster organizer).
The time taken to complete the plan should not be restricted and you should take as much time as necessary. It is an important job and is therefore worth making a priority to those tasks that can be temporarily overlooked. Once the task has been completed, it shouldn’t be seen as something that is “done and dusted”. It should be seen as an on-going commitment that needs the direct attention of everyone involved.
Formatting the Plan
The layout of the plan should be consistent throughout so that it can be easily followed and modified when required. This is particularly important if more than one person is writing the plan so that they do not change the format to their preference. The different sub-headings of the plan should be made clear and stand out for easy reference.
Keep the plan down to less than c. 20 pages in length otherwise you’ll find that most people will be put off reading it. A copy of the plan should be kept by all key personnel in your business.
Using a Risk Assessment
A risk assessment will (1) identify and evaluate the potential level and areas of business disaster and (2) the impact it would have should anything happen. The assessment can therefore be split up into these two categories. When evaluating the risk, do not waste time trying to determine the probability of something happening: instead use a rating system although there are many variations of doing this.
The assessment should be carried out for each function of the different areas (or departments) of your business, and every potential disaster should be included. Those things at high risk can then be identified.
· Use a ‘Low, Medium, High’ rating to determine the level of threat for potential disaster. Example: Low: Small chance but unlikely, to High: Could happen at any time.
· Use a ‘1-5’ rating to determine the level of impact if the disaster happened. The level of impact will be determined by the amount of information that could be lost or the machines/facilities that could be damaged therefore putting a stop to operations.
Example:
1: No impact - business can carry on as usual
2: Short-term impact – 1/2 hours
3: Medium impact - operations of the business could be stopped for up to 24 hours
4: High impact – more than one-day, less than one-week
5: Extreme impact - possible relocation or complete business failure
When evaluating, you should consider the following to give a more accurate rating:
· The frequency of the disaster occurring
· The advanced warning of the disaster
· The safety of the information/machinery/facilities concerned
· The duration of the disaster
· The consequences of the disaster
· The financial loss that would result
Depending on your location, the threat of disasters will vary but the most common threat that you should consider is breakdown, crime, vandalism and fire. The amount of on-line computer crime is also increasing including fraud, theft and hacking, and is becoming a huge threat for web site based companies.
|
Prioritizing Your Business Operations
The next section of the plan is to identify needs considered as critical to your business i.e. those things that are needed for the business to continue operating should it be effected by disaster. This may include:
· An operation e.g. printing, a manufacturing process, e-mailing, etc
· Information e.g. telephone numbers, customer details, etc
· Documentation e.g. invoices, application forms, etc
· Key personnel e.g. yourself if you are a sole trader
· Key Assets e.g. machinery, vehicles, computers, etc
Once these critical needs have been identified, you should order them by importance even if you need at least two of these for your business to operate at all. The final order that you have assigned will determine your order of approach for disaster prevention/security/back up and how long you can afford to delay any actions for each one.
Recovery Strategies
This will form the main content of the plan and should be covered with great detail, which will come from extensive research. This is where you should determine strategies to allow your business to continue operating when disaster strikes. You should consider every aspect of your business including the permanent/temporary loss of premises, software, hardware, communications, machinery, documents and vital information.
For example, if you are a Butcher and you encounter a disaster that prevents you from using the premises for a long period of time, do you have an alternative location that you can immediately use? Where could you get adequate freezer storage units so that you can continue trading? How long would delivery take? How much would it cost? Where would you get the finance? The premises would also have to meet health, safety and hygiene standards. There would be a lot more issues to consider but these are just some examples so that you get the idea.
Another example may be that you are an e-commerce business and in the event of a power cut, you could have a computer on a separate power source (e.g. back up generator) so that you can continue providing your service. Or, have a reciprocal arrangement with a local business, that you know reasonably well, to relocate immediately.
When you determine recovery strategies, you need to consider the costs of implementing them. Be realistic to what you can afford and therefore don’t suggest anything that stretches your budget. But do not totally ignore unaffordable expenses: have a ‘best we can do’ option.
Computers: Data and Documentation Back-up
As a strategy to ensure that the data and documentation you have is made safe from a disaster, you should assign a regular period for making back-ups. If information is stored on a computer, you can copy the work onto discs, or re-writable CD’s (backing up your data files on to a CD is now a simple daily task with a probable cost of 60p a day). You should also make a copy of important information that is on paper by photocopying or transferring it onto computer discs. You should keep your copies at separate locations because you never know when disaster could happen at either location losing all data and documents in the process.
The next task you should do is write an inventory, which will also have a copy, kept off-site. This will include all the machinery and equipment in your business, specifying brand, model, and any other information connected to recovery. You should then list the contact details of the vendors that can provide such equipment/machinery. Further, you should record all important telephone numbers of those people that can help you in case of emergency.
Floor Plans |
|
You should include blueprints in the plan of the different floors or areas of your business premises to locate all safety equipment and facilities. This will include the location of fire extinguishers, fire exits, emergency power-off buttons, water sprinkler shut-off valves, and so on. By having everyone aware of their surroundings and the location of key fire/damage equipment, the amount of the disaster could be limited and therefore controlling the amount of damage being experienced can save equipment and facilities
. |
|
|
|
...does your staff know
where to locate safety
equipment and facilities? |
|
|
Testing and Reviewing the Plan
Once you have completed the plan, it needs to be tested and looked through to determine that it is feasible and that all the steps have been covered. When testing, you should read through the plan with a series of situations that may occur as a result of disaster: you should make an effort to simulate some of the actions that you have written. By following the steps and strategies that you have complied, you should determine if the situation could be solved. If not, then you should identify what is missing or where you have been miss-lead. You then need to update the plan.
Once the test has suggested that it is feasible and easy to follow, you should review the plan with everyone including your employees. You should assign responsibilities to people (which will be recorded on the plan) and talk them through it so they understand what needs to be done in every situation: always have at least two people who can do each task.
After the plan has been written, tested and reviewed, management should approve it and it will then become their responsibility to maintain and update the plan periodically (at least twice a year). Also when the plan is finished, you should immediately implement any actions that you have identified. This may be the search for temporary locations, making a back up of information, or anything that you have stated that needs to be done to prevent disaster or prepare for one.
Benefits of Planning Ahead
· Reduces the need for decision making when disaster happens
· Gives you confidence that your business can continue after a disaster
· Guarantees the availability of stand-by systems
· Provides you with a back-up of information and documents if the original is destroyed
· Reduces the risk of human disaster
· Makes you aware of those things that can be insured against disaster
· Improves your ability as a manager
Commercial Insurance
Beyond doubt, commercial insurance should be the bedrock of your disaster recovery plan. A visit to a commercial insurer is a must: however, most would be happy to visit you and provide you with a breakdown of your insurance needs. Knowing what to do in a disaster is a poor second to not having the capability to make it happen.
Disaster Prevention & Recovery Plan
(1) Identify and evaluate the potential level and areas of business disaster
(2) Identify the impact of a disaster
(3) Prioritize your business operations
(4) Formulate recovery strategies
(5) Test the plan
(6) Review and update every six-months
Summary
Disaster could happen at any time to your business and therefore it is important that more action is taken than just making back up copies of data and documentation. You should also write and implement a disaster prevention and recovery plan, which will include the involvement of all the management staff and supervisors with the additional input of the employees. The aim of the plan is to provide you with security that your business won’t suffer from financial loss during the period of disaster and even to avoid business failure.
The plan should determine all those areas and functions that pose a high threat to disaster and those that will have the biggest level of impact should disaster strike. You should also identify those things that you regard as critical for your business to operate so that actions for dealing with each issue can be prioritised. Your plan should determine recovery strategies for each function with a view to every potential disaster that could happen. This may include stand-by systems and also alternative methods for the continued operation of your business. Further, you should revise ways of preventing human disasters.
The plan itself is a form of insurance (but will not replace an insurance policy) that will give you the confidence that your business can continue operating after a disaster. The effectiveness of the plan will relate to the way it is written in terms of being able to understand and follow. Consequently, the level at which actions will be integrated will too be determined by the quality. It is important that the plan is tested periodically to be sure that it remains feasible and that it is updated with every little change your business makes.
