Firstly, the person in-charge of drawing up the plan should not be a low level employee who do not have sufficient authority. Senior management should be in charge of this program, since a lot of red tape, resistance to change and ‘it cannot happen to us’ attitude has to be overcome. This needs authority of the higher level.
IT Disaster Recovery
A well-reasoned and planned IT policy will ensure the recovery time is well within the Recovery Time Objective and Recovery Point Objective. If the recovery procedure exceeds the RTO and RPO metrics, then it could cause loss of customer goodwill, loss of revenue along with a host of other problems.
Given below are a few steps which will help act as a guide to formulating an IT Disaster Recovery Plan
The IT Disaster Recovery Plan team
Choosing the right members for the IT Disaster Recovery Planning team is of crucial importance. Senior managers and heads of departments should ideally comprise the team members. Senior managers and heads of departments, give insight into the critical areas of the business’s operations. For the IT Disaster Recovery Plan to work as intended, staff involvement is a vital component. This makes it imperative to involve the HR Department when the IT Disaster Recovery Plan is being drawn up.
Contact Details of Managers, First Responders, Critical Staff and other Staff
In the event of a disaster, one of the first problems faced by most businesses will be communications with staff. A document should be drawn up showing contact details of all staff plus alternate contact numbers, e mail id’s etc. This is a live document and can become out of date very quickly. Therefore, it should be updated at frequent and regular intervals.
The importance of a clear-cut 'Chain of Command'
During a disaster, it is important that orders DO NOT come from all sides. Conflicting orders can not only have a debilitating effect on staff, it can lead to the impact of the disaster becoming worse. The IT Disaster Recovery Plan document should clearly delineate a ‘Chain of Command’. The person at the top will declare the disaster and set the IT Disaster Recovery Plan into effect.
Have a designated Disaster Authority as per the IT Disaster Recovery Plan
A single person in charge, who knows the steps to take, as per the IT Disaster Recovery Plan will bring order out of the potential chaos which follows a disaster. This person should know what steps are to be taken in the face of a disaster, as detailed in the IT Disaster Recovery Plan, such as:
- Declare the disaster and set the IT Disaster Recovery Plan in motion
- Send in First Responders
- Ensure all staff are contacted and informed of the disaster declared
- Evacuation of staff where needed
- Sending the injured etc. to hospital
- Alerting Emergency Services
- Ensure only the designated person interacts with the media and public
- Frequently update staff, stakeholders, media and public in an open and honest manner without being alarmist
- Start-up alternate production centers if needed
- When normalcy is restored, withdraw the Disaster declaration
In short, the designated person will be in overall charge of all components of the IT Disaster Recovery Plan.
Alternate Production Centers
In many instances, a disaster takes out the primary production center. Therefore, standby alternate production centers are a necessity. Since one size does not fit all, each business should evaluate what type of alternative production site requirements are needed. Some alternatives are:
- A fully equipped new site at a different geographical location, ready to start production immediately.
- Send in First Responders
- Reciprocal arrangement with other similar businesses for use of their facilities temporarily
- Tie-up with Convention Centers, Hotels etc.
- Work from home till production site can be re-started
What are the vulnerabilities in the location of your production site?
Depending on the location of the business, it may be more vulnerable to a particular type of disaster than others. In some places flooding may be the main threat whereas in other places it could be tornadoes. Make a check-list of the probability of different types of vulnerabilities which could affect production and take mitigating steps.
Data Back-up
Data should be backed up at regular intervals. Depending on the type of business, the frequency of back-up can be determined. In a business which cannot afford to lose any data, real-time back-up will be needed. Cloud back-ups are becoming increasingly popular.
List of Critical Equipment
The above steps are the main inputs for formulation of an IT Disaster Recovery Plan. Once the plan has been devised, sufficient training should be imparted to staff to ensure they know what to do in the event of a disaster. When proper training is given the switchover will be seamless. The IT Disaster Recovery Plan should also be tested and fine tuned at regular intervals. A tried and tested IT Disaster Recovery Plan coupled with proper training is one of the best insurance policies to face a disaster and come out unscathed.
A business should make a list of all its critical equipment, without which, the business cannot function. Depending on this, alternative stand-by equipment must be available, at short notice, to keep critical functions and services operational. This is of crucial importance to ensure production down time is kept to a minimum.