Backup, Recovery and Contingency Planning – How important is your Data
Part 2: Your Business Contingency Plan. Do you have one?
Business contingency planning! Backup and recovery planning! Is there a difference? This article will define what a contingency plan is, as well as how it differs from a backup and recovery plan. I will also cover some of the fundamentals and key considerations for creating a business contingency plan.
A business contingency plan is a step by step guide on how you would recover functionality of your business in the case of a business disaster. As detailed I our previous edition, your backup and recovery plan focuses on being able to recover your data and systems from an internal issue such as server failure of a database corruption. Your contingency plan outlines a business response mechanism and swings into action a process to recover functionality at a business level, rather than at a data level.
Scales of Contingency plans. When you are preparing your contingency plan you have to take into account what it is you are planning for. There are varying types of disasters and your business may not be required to plan for all of them. A contingency plan could be derived from a situation as simple as, “how your business will continue operation if there is an internet outage”, or from a situation where by the disaster is more severe and has a much greater impact on the operation of your business, such as a building explosion or fire”. You may also want to create multiple contingency plans to take into account differing levels of disaster. The key point at this stage is to speak with the appropriate personnel to determine exactly what it is you are putting the plan in place for. Regardless of the many situations and unforseen events which could affect your business, there exist many process similarities and considerations which need to be followed and taken into account during the development of your contingency plan.
We all hope that we never have to initiate or take part in a recovery effort, especially one of significant size and impact. However, if you do, you should make sure that your key personnel are informed of their roles and have them ready to respond when required. Usually, a disaster recovery process will have a “Manager” or someone who will be driving the recovery efforts, potentially even a recovery team, but either way all involved need to be informed of their individual responsibilities to enable the success of the contingency plan. Efficiency and co-ordination are fundamental to any contingency based operation.
An “up to date” and accessible “contact list”, is something that is commonly overlooked by many organisations. This “list”, is vital, in any contingency plan, regardless of the plans magnitude. Employee numbers and addresses, client related information, not to mention frequently used suppliers and contractors, should all be readily available and accessible via this list. Let’s assume the worst possible situation has occurred. Your building has been destroyed by fire or bomb. Who do you call? If you think about the massive scale of this disaster and the enormity of the task to get the business functioning again, it is quite easy to see why a contact list is important. Management and staff, clients, builders, plumbers, electricians, hardware and software vendors, Internet Service Providers, (Add insurance providers to the list here) Financial institutions, etc will all need to be contacted at some point in the process. This list goes on. Sure you could look all the details and relevant contact information up via the internet or phone books, but how much additional time is involved in this? What if I am not familiar with who our company uses as their electrical contractor. Do I just search the phone book for an electrician? Or do I obtain electrical assistance based upon the information in the contact list. I mentioned earlier about the accessibility of the “contact List”. This list should be kept in more than one location and be accessible to multiple key personnel as once the contingency plan is “kicked into action” you want your staff to be able to act swiftly.
Once again, depending on your particular contingency plan, the requirement for an alternate site or operating location may or may not be a requirement. This level of contingency may be beyond the scope of 50% of this articles reader, but I am mentioning it as it must be considered. If your current office location is no longer an option for you, where will your business operate from? A small business or single operator may find it quite simplistic to operate from home, or from a shared office environment, but what if your premises was 1000 square metres, and housed 150 employees? This would be a difficult business to relocate on short notice. A secondary site may be an option. It will be expensive, and may not be within budget for the majority of organisations, but it all comes down to the requirements of each and every business and the depths to which they develop their contingency plan. If you had the luxury of knowing you could pick up operations and move to a pre-defined site, if and when a disaster occurs, this would save the added inconvenience of sourcing an operating space.
Hardware and software procurement is also an important component of any contingency plan. Again it depends on the depth of your plan, but having access to replacement equipment and other important technology will have an enormous impact on your ability to recover your business operations. You could even go to the extremes of incorporating a business agreement with a vendor, into your contingency plan, that would see them stockpile servers, workstations, networking equipment and other keys infrastructure in their warehouse in preparation for such a disaster. I have done this sort of planning, and thankfully, we have never had to use our contingency plan; however, the added comfort of knowing that, within a matter of hours, we could have our hands on the necessary infrastructure required to resurrect our network and IT environment, is very reassuring.
Critical Business Components
You may recall, in the first part of this article we touched upon the requirement to audit your data and systems, and work out what data is crucial to your business survival. This predefined for you, a list of what information you needed to back up. A similar audit process is required for your contingency plan; however it is not related to backing up your data. It is related to your Business structure, and its key departments and information systems, and the order to which these systems should be restored should a disaster occur. To simplify this further, here is a question. What is the priority order in which my business systems should be restored? Should the accounts department be bought back online first, followed by Email functionality, or vice versa. How important is internet access to business operation and where should this functionality reside in the “to do” list. These are business specific questions and answers to these questions will vary from company to company, however, planning the recovery efforts, to this granularity, will set the platform for a smooth recovery process.
Again, let’s assume the worst possible scenario has occurred. Your building is destroyed by fire, or an explosion, or similar. The type of disaster is irrelevant, but none the less, it renders your business premises unusable and unrecoverable. Are you one of these people who in light of just having experienced a “business related disaster”, when asked for your backup tapes, replies “they were in the building! What good are your backup tapes if they have just gone up in flames with the rest of your office complex? Offsite storage for your critical backup data is a key component of any contingency plan. Actually I would go as far as saying it is the most important part of your contingency plan. The offsite storage option for your backup data is a major consideration point for your business; however ninety percent of the time this option will be predetermined by your chosen backup solution. If your backup solution involved the use of tape media, then you will most likely require physical storage of your media at an alternate location. If your backup solution consisted of an online backup solution, where by your data was backed up to an external site via the internet, then this will change your offsite storage options again. I guess the key point to consider here, is what do you do with your backup data once you have it? Where do you keep it so it is both safe from potential disasters, as well as still highly accessible?
A characteristic of any good process or plan is its documentation. This is crucial. Your contingency plan documentation should be simplistic enough for anyone to understand, allowing them to perform the actionable items listed. In addition it must also be thorough and contain enough detailed and specific information that the plan can be completed with minimal confusion. This is potentially a difficult combination of requirements to achieve in a document but it is achievable. Like your contact list and Backup Data, your documented recovery process should be kept in a safe, and accessible location, and preferably in more than one location for redundancy. The documentation should clearly list responsibilities and tasks that need completion and the recovery team should be able to delegate certain responsibilities to personnel and have confidence that they can successfully utilise the documentation to perform their assigned task.
By now, you should realise that I am quite focused on testing, and making sure things work as they are designed. A contingency plan is no different; however certain aspects of a contingency plan are quite difficult to test and performing a full test, or testing certain components of a plan, may not be feasible for your business. As a rule, testing should be as detailed and thorough as your business can accommodate. One very effective way to test your plan is to remove a portion of your key personnel, then simulate the disaster without having there input into the recovery. This way you will identify potential flaws or issues in your processes and documentation that will enable you to rectify them before a real scenario is encountered.
Business Contingency Planning is the natural progression, from a backup and recovery plan. Planning for disasters is time consuming and quite complex. Far more complex than the scope of this article, however this article does provide and insight into many business considerations that need to be digested and at least thought through. Should you embark on designing a contingency plan, think about every possible aspect and every possible requirement that you will need to accommodate to restore your business activity. After all, this is your business we are talking about. You’re livelihood.
In conclusion, to make use of the “Boy scouts” motto. Be prepared.