Disaster recovery planning for business continuity

Disaster Recovery Planning

Over the last several years corporations have been wrestling with a number of different disaster / security related issues. This is because of the increasing amounts of threats made against businesses and their executives, by terrorist organizations along with a variety of natural disasters that must be planned for. A good example of the overall severity of these threats made against businesses can be found by looking no further than the killing of a bomb maker named Dulmatin (in Indonesia). This is significant because he was the bomb maker that manufactured the bombs used in the 2002 Bali terrorist attacks. The terrorist group that he was associated with was in the process of planning another major terrorist attack, on various business interests in Jakarta. According the police officials, the terrorists were planning on conducting a coordinated attack similar to the one that took place in Mumbai, India in 2008. The idea was to use the explosive devices to gain access to various international businesses frequented by foreigners. Then, take them hostage as part of an overall change in tactics. This follows attacks that have taken place in Jakarta after the terrorist bombings on the Marriot Hotel in 2003 and 2009. (Pathoni) What this shows, is how various terrorist tactics are constantly changing and that all business must be prepared for anything that can happen. To be most effectively be prepared for these different terrorist attacks and natural disasters requires that you have a disaster recovery plan in place. However, to create any kind of disaster recovery plan requires that you ensure that all elements of a location security are never compromised. This would include: accounting for data recovery, the Emergency Operations Center (EOC), personnel issues and the estimation for the costs of having such a plan in place. Together, all of these different elements will highlight how all corporations can effectively plan for a variety of disaster related situations.

Establishing a Disaster Recovery Plan

In general, most large corporations will spend between 2% and 4% of their annual budget on planning for various disasters. This is because of the low odds a company / location have in being able to effectively overcome such situations, especially when you consider the fact that valuable data could be lost. In these cases, those companies who are experiencing these issues will face an uphill battle in bringing a location back to normal. According to a study conducted by Health Management Today, they found that those business or locations that experience a loss of data as a result of a terrorist attack / natural disaster will have a 43% chance of never reopening. Those who do reopen after such an incident; stand a 51% chance of closing within two years. While, there are only 6% of those companies / locations that will return to normal after such incidents. (Hoffer 79 -- 85) To effectively create a disaster recovery plan requires that you consider a number of different factors during the planning process to include: perform a risk analysis, establish a budget, create the plan and test the plan. Then, utilize each of the different steps laid out in establishing an effective plan. Together, these different elements will help to institute a disaster recovery plan that will protect the company and it numerous locations from a number of different disasters or terrorist related events.

When you analyze the overall risks, this issue seems like something that is very obvious to all CEO's and company officers. However, to effectively conduct any kind of effective risk analysis means that you must examine all variables that could affect the security of the company and a location. This could include everything from: in house recovery planning (i.e. situations such as data being lost by an employee) to the more complicated attacks that could take place (including cyber attacks). When conducting this initial risk assessment, it is important to look at anything that could posse a risk to the company or any of its assets (no matter how small it could be). (Kunene)

Next, you want to establish a budget for countering the possible risks that were identified. During this phase of planning, you want to be thinking proactively about limiting exposure to possible threats. This means, you want to see what would be the total effect that any kind of downtime will have on a location. This would involve analyzing the costs that the company would face as far damages and publicity, because of an event that occurred. Next, you want to analyze the different costs associated for various counter measures to protect the company / location from a variety of different scenarios. Together these two elements will provide the most accurate assessment as to what are: the total costs of an incident on a particular site and the investment necessary to prevent the worst case scenarios. (Kunene)

The third step is: to develop an effective plan. During this process you want to be sure to address all issues that are vital to a company / location including: accounting for data recovery, the Emergency Operations Center and personnel issues. There must be an emphasis of having a location or an alternate location up and running within 24 to 48 hours. This will avoid the disruptions that can drastically affect the chances of a particular site reopening. (Kunene)

The fourth step is: to continually test the disaster recovery plan. Once an effective plan has been implemented, you must constantly test the plan. This means that a number of surprise scenarios must occur frequently, to ensure that all security measures are in place. If there is a weakness in the security that is discovered at any point in time, you must address the issue immediately. (Kunene)

Company / Site Location Issues

Data Recovery

The company has 12 locations that are vulnerable to natural disasters in the Southeastern and Midwestern United States (i.e. hurricanes / tornados), along with three locations that are in hot beds for terrorist activity. This means that there are multiple threats that could be facing any of the company's different locations around the world. Therefore, it is only prudent that a disaster recovery plan be utilized where there will be specific company guidelines. Then, this plan must be adapted to each particular location to address the unique threats and challenges. When establishing the plan, it is important to consider how any kind of data recovery will take place. This is because many companies find the process of storing / retrieving data cumbersome as well as expensive. A good example of this can be seen in a recent survey conducted by Enterprise Storage Group. Where, they found that 51% of businesses worry that their data recovery system is not adequate. The most common reason why so many businesses were having problems with their data recovery system is: the process was too long and there were large amounts of time / resources spent on addressing the problem. What this shows, is that in order for any kind of data recovery plan to be effective requires that the company consistently address any kind of issues that may come up. (Kunene) This means that there must be a constant focus on protecting those systems that are vital to the company / location. Where, a variety of different data systems are used to store large amounts of information ranging from customers lists to information on key personnel.

The first step in this process should be: to examine and catalogue the different databases / technological systems that the company is using. This would include: examining everything ranging from the company emails to specific databases used by the various departments. Next, you want to examine the kind of back up system that is currently being used to store all relevant data. During this part of the process, you want to think about how long it would take to recover this data and what amounts are capable of being stored. This will point you in the right direction, as far as identifying what data is important and how long it would take the company to retrieve any lost data, using the status quo.

The second step is: to begin searching for ways to address the obvious weaknesses as far as data recovery is concerned. Where, you want to increase the overall amounts of recovery time dramatically. Since the company uses its data / email system to communicate with various executives and locations around the world, means that a procedure must be in place to reduce down time as much as possible. This means that a company wide backup storage system must be stored in location that will not be effected by natural disasters or terrorist activities. One way to accomplish this objective would be to create a data storage center that is away from these different areas. Such as: choosing a location that could be in a rural area without any the different issues. Then, the overall structure of this facility would have to protect the location against any kind of weather related events. For example, the company could consider placing the data recovery system in the desert between West Texas and Nevada. In general, these areas are not subject to tornados or hurricanes. You could then choose, to place the location for all backup servers in a facility that will protect it against the weather such as: placing it underground. Once the facility is complete, you want to ensure that there is key staff to monitor and address any kind of issues that arise. Using such a system, will allow you to reduce the overall amounts of lost data that can occur at a particular location (due to weather / terrorist related activity).

Emergency Operations Center

The next issue that is going to be faced by the company / location is: establishing an Emergency Operations Center (EOC). In general, an EOC will serve as a place where the company can effectively coordinate a response, perform any kind of recovery effort and most effectively direct the company's resources to the most appropriate places. The most important aspect that should always be kept in mind when designing the EOC is: that the objective is to effectively coordinate communication as much as possible. This is important because, once an actual event occurs, the overall amounts of communication will speak volumes, as to how severe the property damage and casualties could be a location. Once this basic foundation has been established, you want to begin implementing what is known as the Incident Command System (ICS). This is a management system that effectively establishes procedures for the EOC including terminology, how information is released to the press and the proper procedures for most effectively coordinating different responses. The biggest advantage that this system offers is: it can be implemented quickly and adapted to a variety of real time situations that are occurring on the ground. (Kunene)

Next, you want to ensure that there will be competent managers who can take command of the situation once an incident occurs. This means that you must place key personnel at certain locations and have a chain of command in place, where a second or third person can fill in if something unexpected happens. This is important because once an incident occurs, means that the company will have a window of opportunity to establish effective command and control over the location. When, you have select personnel at the various locations that are trained for such events, means that they can quickly have the EOC up and running. This command structure; will ensure that everything at the location will work in accordance with the objectives stated in the company's disaster recovery plan.

Personnel Issues

Personnel issues are the third aspect that must be carefully examined, for any kind of disaster recovery plan that the company is working on. This is because having a focused effort that will train and direct various resources to the points that they are needed most, will help to mitigate any kind of collateral damage that could occur. Otherwise, the resources of the company will not be directed to help alleviate the situation, only making the problem worse. A good example of this occurred during Hurricane Katrina. Despite, the fact that everyone knew a major storm was headed towards New Orleans several days before, the disaster recovery plan of the city and state were ineffective. This is because many of the key personnel did not fully understand their responsibilities. Then, when they wanted to go to particular areas they were instructed to wait. This lack of communication and not having the various personnel in place only increased the amounts of damage and casualties. (Hoffman) To avoid these kinds of situations, the company may want to consider creating disaster recovery teams, where a specific team is assigned various aspects of disaster recovery. Each person would be assigned various responsibilities / duties. This will to help protect the location against various kinds of possible threats. You would then, have one or two people trained in the same job as a backup. This will effectively organize personnel, as to what their roles are during the event of a disaster and what they can do to be aware of unusual activity. These two elements will help to reduce the possible risks and prepare for any kind of situations that need to be dealt with quickly.

Next, you want to create situations that will consistently test key personnel on various issues. This means, that you must continually have mock drills on a wide range of events and then critique everyone on how well they performed during the exercise. You would then, want to continue to have different exercises that focus on specific threats that are relevant to a location. For example, the three locations that are in the middle of terrorist hot beds would obviously have to focus more on a number of terrorist related issues. While the locations in the Southeastern and Midwestern United States would have to worry about natural disasters and terrorist events. At each location this would mean, taking the company disaster recovery plan and then implementing the parts of it that are relevant. Once this has been established, you want to then create several teams that would test a site for various vulnerabilities, unannounced. This means, those members of these different teams would go to various locations, blend in and then attempt to exploit the various security related issues. Over the course of time, this would help each specific location to see how and in what ways they are most vulnerable, to a number of different scenarios. This will help to consistently reinforce the attitude of always being watchful within the company itself.

Cost Estimates

The company is large multi-national corporation, that has adjusted revenues each year are $1 billion. This means that the company would need to normally spend in the first two years on training and establishing the disaster recovery plan of: 5% of the total revenues. This number is above the 2 to 4% that was stated earlier. The reason why 5% was chosen for the first two years was to ensure that the added expenses of: bringing in additional personal, technology, consultants and training were realistically budgeted. This would give the company a total budget on developing an implementing an effective disaster recovery plan of: $50 million each year (for the first two years). Within this number would include: added improvements that will be required for each location ranging from data recovery to within the physical plant itself to security. For example, in those locations that are in the hot zones for terrorist activities, a number of different costs will be required to address all primary threats. These would include: added guards, increased surveillance equipment, construction of specific security gates / barrier (such as cement barriers to prevent car bombings), consultants and the constant drills that must take place. In each of these different locations, there must also be a specific assessment as to what threats are the most pressing. In this particular case, an outside security consultant would be required to perform an assessment. The costs for preparing each location for the various threats that they could be facing could be as high as $1 million per location. Then, there are the costs of training and testing the effectiveness of the plan. In this particular case, holding a series of four different drills per year could cost as much as $3 million per location. The reasons why these costs are higher are: the added amounts of time, training and planning, that is required in coordinating these different events. Then, there are the costs of having consistent random checks for various weaknesses. This means, that there must be a series of different teams will randomly test the disaster recovery plan of each location. In general, the costs for having the different teams engaging in such actions would cost $6 million per year. Then, you must account for building an underground data storage facility in the desert southwest. This will cost approximately cost $4 million to implement. The remaining $1 million would be used to provide additional improvements in the disaster recovery plan, that are found after the random checks at each location.

During the preceding years, the total amount of revenues spent on the disaster recovery plan will then fall within the 3% range or $30 million per year. This money, would be used to provide each location with updated equipment, analyze the disaster recovery plan that is in place for each location once year, analyze the disaster recovery plan of the company every year, test the various locations for weaknesses, address any weaknesses found, ensure that the data recovery center is always available and provide continued training to the staff. If the cost of various disaster recovery planning rises during this time, the total amount spent can be increased by 1% to accounts for any changes in inflation. These total costs can be tied directly to the producer price index. This is: the cost that manufactures are paying to produce various goods and services, to sell to consumers. When you are ensuring that any cost increases are reflected in spending. This is making certain that the same dollar amounts, that are spent on security remains the same. Together, these different elements will help to effectively implement and maintain a disaster recovery plan.

Putting it All Together

For any kind of disaster recovery plan to be effective, means that it must be focused and have flexibility. Using the different elements for establishing a plan and the specific location / company related issues means that two plans must be created. This involves, a master disaster recovery plan must being developed that will provide guidelines for dealing with various weaknesses and issues. This would be undertaken using the steps outlined in for establishing an effective plan. Then, you must go to each specific location and create a disaster recovery plan that will address the issues that are specific to them. This means, taking the company's disaster recovery plan and then customizing it. During each step of the process, several consultants will have to be brought in to address the issues in the company's disaster recovery plan. Then, they will go to each location and conduct assessments for various vulnerabilities.

Once the plans have been implemented, there must be a consistent focus on ensuring that the disaster recovery plan is changing with the various threats from natural disasters or terrorists. For example, a location that is in an area that is subject to hurricanes may want to consider accounting for more severe storms. Such as: if a category four was the most powerful storm to hit the area, it would be prudent to examine the effects of a category five storm. Taking such an approach, will allow each location, to specifically develop a plan. That will adapt to the changes that are occurring in the overall nature of the threats.