Disaster Recovery or Business Continuity?

I remember a great quote by Sir John Harvey Jones, he said “The nicest thing about not planning is that failure comes as a complete surprise rather than being preceded by a period of worry and depression”This is still the approach many customers take when it comes to Disaster Recovery and Business Continuity. However, with high profile events over the last few years, along with new legislation, many customers are driving forward with projects to protect their business should an unplanned interruption occur.As computing power gets ever more powerful and costs keep falling, in addition to the high availability of broadband network services, the time has never been better for customers to consider tackling this critical issue; but where do they start?Do you want a Hot Site, Warm Recovery, Cold Space? Do you want Disaster Recovery or Business Continuity? Do you want A Mobile, Static or Business Recovery Centre? What do want you cover? How quickly do you need it? (once you’ve decided what it is!). Etc, etc, etc.No wonder the customer is confused and ends up putting the exercise off. I spoke to a customer recently who had been subscribing to a Disaster Recover service for many years, only to find that when he needed the service it failed to work! This was because they had been focusing on a Disaster Recovery service, and not Business Continuity.So what is the difference?Disaster Recovery services tend to focus on the provision replacement resources. These are often provided on a shared subscription basis by specialist suppliers (hardware, network connections, office space, computer rooms, voice etc.). Business Continuity is exactly what is says on the tin; Business Continuity. In other words it provides continuity of business following an unplanned interruption. But there are many areas that need to be explored before a full Business Continuity Plan can be developed and tested.The common steps that need to be taken are shown below.Threat Assessment – The very first step on any successful Business Continuity Plan is the Threat Assessment. If you don’t know what you are trying to protect yourself against how can you possibly protect yourself?Many customers find this exercise invaluable as it also highlights risks to their business that could be reduced, or in some cases removed all together: Therefore, prevention forms a very important part of the pre-planning phase. Any areas needing improvement should also be highlighted at this stage.Many customers identify the more obvious threats such as bombs, air crashes etc, but many ignore the less obvious, such as non-physical disasters or environmental side effects such as bomb warnings, adverse weather conditions or loss of access to the building caused by a localised incident. How many customers are aware of what risk their neighbouring business pose? Do they house combustible or toxic materials? Would they attract attention of extremist groups? Could a localised incident prevent you from accessing your facility? If so, for how long?Business Impact Review – This is when it really gets down to the true impact on the business. One of the problems of constructing a successful Business Continuity Plan is balance: What do I want, and when do I want it? It is quite simple really, the quicker you want it the more is costs! To balance this, the customer has to review the real impact on his business of an outage (loss of revenue, loss of customers, impact on share price, legal requirements, cash flow protection etc.). Even if the impact is so severe the customer will find it very difficult to re-deploy their entire workforce to a recovery facility within very short timescales. Several emergency events in London have highlighted the impact on public transport and the road system (these were so severe that some customers found that they could not get their staff to a recovery facility!). Therefore it is essential that recovery options are priorities for short, medium and long term.Resource Requirements – Now we know what we want, and when we want it, it is possible to start looking at the Disaster Recover element of Business Continuity. Remember I mentioned short, medium and long term recovery? Well, this is where Hot, Warm and Cold come into the picture.Hot Recovery – is normally available in minutes. This service would utilise a complete live replacement service, at an alternative facility, with a suitable network connection in place. This would enable customers to transfer operations to the recovery system with minimum (sometimes zero) impact to the business. The obvious disadvantage of this is the cost.Warm Recovery – Although Hot Recovery is gaining in popularity, Warm Recovery is still by far the most common solution deployed. Warm services are usually based on a shared subscription (shared risk) basis, and are available within hours of invocation. Typically it would take up to 24 hours to have the systems up and running to support the business. Warm can be provided in several ways; ship-to-site, where the equipment is loaded onto the back of a van, delivered and installed on the customers’ site (obviously there has to be a site to deliver it to!). If the compute room was impacted by the outage the service could be delivered in a Mobile Recovery Facility (a computer room in a lorry). And if the site is not accessible at all a remote Recovery centre could be utilised.Cold Solutions – Although less common, cold space (empty office and computer facilities) can still be attractive for the medium term. Enabling customers to recover 50% to 80% of their operation via Hot or Warm options, and relocating within a few days or weeks to a suitable location.Business Recovery Centres – Business Recovery Centres are located around the world and can help the customer streamline resumption of normal office-related business processes following a disaster. These facilities include up to a thousand desks equipped with PCs, phones, and computer rooms. They also offer meeting/board rooms, canteen and recreational facilities and even secretarial support, along with full telephone switch and communications capabilities including PABX/ACD, ISDN,ADSL, SDSL, MPLS and other networking connections.Now it’s just a simple matter of writing the plan and testing the recovery! And of course, looking at standards such as BS 25999; but that will have to wait until my nest papers.For more information visit EMA Continuity

Disaster Recovery Invocation Procedures

The following procedure illustrates at high level the first 24 hours following disaster invocation. This procedure is based on a “warm” recovery service.Following a disaster, clearly defined steps/actions need to be taken to enable business continuity. During the first 24 hours these steps will fall into the following categories.Initial AssessmentTimescales – Immediately (T + 0)Following a disaster situation the first step that must be taken is to assess the current situation. This will be carried out by the Disaster Co-ordinator, who will decide if the Disaster Management Team needs to be assembled. The team will need access to a Disaster Command Facility, if the primary location is not accessible for any reason. The Disaster Management Team and Command Centre should be detailed, along with relevant phone/mobile numbers and directions in the Business Continuity Plan.The relevant emergency services should have already been notified of the situation. The Disaster Management Team would act as the main focal point for the emergency services.It may be necessary to make a pre-invocation call to put the Disaster Recovery service on standby, thereby reducing the response time should the service be formally invoked.Disaster Management MeetingTimescales – within 1 hour (T + 1 hour)If it is necessary to call a formal Disaster meeting, this should happen within 1 hour of the event. It may not be possible to get all members of the team together in these timescales, therefore all essential members should be agreed upon and documented in the plan.The Disaster Management Team’s main role would be to:­ Define the problem
­ Define the extent of the disruption
­ Determine the likely impact on your business
­ Estimate outage length (where possible)
­ Invoke Disaster Recovery service if applicable
­ Formally set up Disaster Command centre
­ Agree team’s objectives for next three hours
­ Agree formal verbal report for senior management
­ Agree on staffing levels needed at the present time
­ Send non-essential staff home (if during office hours)
­ Contact non-essential staff at home (if out of hours)
­ Call in additional staff (if out of hours)
­ Set up next meeting for T + 4 hoursDisaster Review MeetingTimescales – within 2 hours (T + 2 hours)At this stage you should have a much more detailed understanding of the situation. This will enable a full written report to be produced for senior management.The Disaster Management Team will have by this time:­ Invoked the disaster Recover Service (if applicable)
­ Set up a temporary Disaster Command centre
­ Mobilise essential staff membersIf applicable the warm standby (Disaster Recovery) services should be available by this time to start configuration of the standby systems.Configuration of Standby EquipmentTimescales – within 2 hours of invocation (T + 4 hours)Warm Disaster Recovery configurations are normally scheduled to be available within 2 hours of invocation. By this time the site should be ready to receive the equipment. Power and Communications should be enabled and facilities for the essential staff should be available. Additional equipment needing to be purchased may arrive some time after this. The backup media will also have arrived onsite.Restoration of Data and TestingTimescales – within 20 hours of invocation (T + 22 hours)Up to 8 hours may be required to restore and test the system. Comprehensive user acceptance test (UAT) procedures should be documented in your Disaster Recovery Plan to ensure the systems are fully operational before they are announced to be live to the end user.Systems available to end usersTimescales – within 22 hours of invocation (T + 24 hours)At this stage you should be able to resume some (or all) of your business activities (depending on the scope of the disaster). It is critical at this stage to plan for full business restoral. These steps should include:­ Interim requirement such as larger temporary accommodation
­ Refurbishment of damaged offices (if applicable)
­ Identification of new premises (if applicable)
­ Replacement of damaged equipmentA full Business Resumption plan should also be produced, detailing the transition from the standby facility to permanent offices.Visit EMAContinuity @ http://emacontinuity.com