People take their stability for granted. Nothing will ever happen to them and their business and, if something happens, it will happen to other people so they are fine. Why to worry? Simple: because that is the same perception other people will have when it happens TO YOU. So the question is: will you be ready? That is the moment when your DRP (Disaster Recovery Plan) kicks in…but how do you get to have one? Let’s see how.
Do you need a DRP in the first place?
This is the starting point: prepare for the uncertain future. A DRP is a measure that can help you mitigate the problems you may have should a disaster happen in your business.
It is like buying an insurance, you never expect to use it (and dont want to use it) but you dont want to have a car accident or an incident in your house and not be able to obtain help and mitigate these problems (financially, with external resources like hotel accommodation, etc). What will your DRP cover you for? Depending on how you create it, these are the sort of things that you will be covered for:
- Earthquakes and tsunamis.
- Environmental / weather disruptions.
- ETC (which basically means anything that can alter how your day-to-day business runs).
So, the answer is: YES!!! If you want to cover your business in case of disaster, even minimally, prepare your DRP.
BCP vs DRP
Much is discussed on whether a company is creating a BCP (Business Continuity Plan) or a DRP (Disaster Recovery Plan). While many define BCP as the plan to recover from internal failure (i.e. hardware / systems failure) and DRP as the plan to recover from external disasters, I will use the term DRP as it is, normally, the one that is more complex as it will have to consider all sort of components. For instance, as a result of an external action your internal systems may not work (earthquake hitting your office, your datacenter, etc).
Scoping your DRP
Now that you know that you want to have a DRP, the question will be what sort of DRP you want. In other words: What do you want the DRP to cover?. I have found that many people say pretty often “everything”. Well, while this is possible it is also nice to be realistic. Putting a DRP in place doesn’t come for free as you have to invest money. If you want to cover everything (and by everything I mean creating a DRP that will help you run your business as if nothing had happened) that would require to practically replicate (mirror) your business. I have also seen such as ambitions DRP plans that were given more thought and further resources than their normal business was ever given.
To scope properly your plan you should question yourself and ask: What is what I can not afford to lose if disaster stroked? That will be your starting point.
A DRP is not an IT – Security “thing”…only
This is where many plans fail. In many occasions the DRP creation is a “task” given to the IT / Security department. While IT and security is very important in all the companies, we should not forget that running a business is something in which many other people take part. From human resources to finance, from operations to quality, and many more work coordinated in a daily basis. Thus, if you want to create a DRP everybody will have to have their saying in it.
Creating without testing…like not to have anything
Once your DRP plan has been created and, very important, not only in paper or power point, the next step is as important as creating the plan. I would say that testing the plan is the most important part of the DRP. You don’t want to need it just to found out that you left out something really important. I will give you some real life examples of DRP plans that did not work as expected:
- DRP to avoid industrial action (strike): Everything was planned and incorporated into the DRP as expected. There was a secondary site where people could work just like in the primary site…only that they could not work there as the office workers could not reach the site : Transportation had not been arranged properly for them.
- DRP to avoid electricity issues in main datacenter: Second datacenter up and running ready to work with all the services and systems on-line…just to find out that the versions that were running on the servers were a few versions behind (from the time that the DRP had been created originally) thus the applications were not working properly neither loading the databases correctly.
- DRP to action external help (transportation, hotel lodging, etc) not working as the responsibles in the DRP emergency contact-list were not part of the company any longer, thus nobody could action the plan with the external companies.
As you can tell the number of things that may stop your DRP from working are endless. Test before it is too late.
Evolution and update your plan
Testing should not only be done at regular intervals to make sure people understand what they need to do in case of disaster. There may be changes in the business that are not equally replicated in the DRP plan. Only by testing you will make sure your plans are fit to purpose. This is very important, thus I include it in a different point: Update your plan as soon as changes come in place in your business.
If you are expecting to make the changes only to pass the “DRP Testing Day” you will be risking your business. Remember that you are preparing this plan to avoid chaos and disaster as it usually happens when you least expect it.
REMEMBER: The closer your DRP is to your daily business needs (and constrains) the more efective it will be. It is like moving an elephant, it may cost a lot at the beginning but once it gets moving and up to speed it will be much easier to put in place…should you need it.
DRP Team: the forgotten management
Just like most companies have a “succession” plan (your company prepare people so they can take on superior roles) you should have a plan that includes who will be actioning what should disaster strike: That will be your DRP Team. It is extremely important that you have knowledgable and experience people that will be able to make the DRP work. They should meet and review the DRP plan, reviewing changes, adapting to new needs or changing those items that are not needed any longer, among many other topics. This is a must since your company will rely on this people to make sure your business continues working in case of catastrophe. Often the team resembles your “normal” org chart, with people from all the departments that run the business represented in this crisis management team.
Also, let me tell you as there is often people confused with what is expecting from them in this board. Being part of the DRP board – managemente team is not an “honorific” position. People taking part of the DRP Team should be people that will be there and then when disaster happens, so chances are that you will need, at least, two people for every section so they can cover for each other (holidays, sickness, etc). Remember, disaster may happen when it is not in your “agenda”.
Be ready, not happy
When I ask the team how confident they feel about DRP I’d rather want to hear that they are ready. They can be happy about the results of their hard work, but what really matters is to be ready should you need to be.
Just follow my motto: