 |
 |
 |
 |
 |
 |
Your questions
answered Do I really need a disaster recovery plan? What are the essential first steps in a DRP? Is a DRP just about addressing IT issues? Do you have any recommendations on communication with staff? Is a disaster recovery plan essential if we have business interruption insurance? What are the practical problems we are most likely to face in an emergency? How does my quality management system tie in with a DRP?
Do I really need a disaster recovery plan? It is now common for large companies to demand that their suppliers have tested DRPs in place - particularly as supply chain resilience driven by 'just in time' delivery is dependent on guaranteed continuity. In some sectors, regulatory bodies insist on this reassurance too. Another advantage of demonstrating that a robust plan is in place is that companies find they can negotiate a discount on insurance. For some small companies, the penalty of not having a plan in place is that they may not recover from a disaster at all.
What are the essential first steps in a DRP? First you must consider what is important to your business, analyse what your systems are doing and prioritise in terms of what would need most urgent attention in the event of a disaster. For a small company where a server is stolen or destroyed it is clear where the priority lies. In a larger company it is a case of looking at which systems are most crucial to business continuity and which staff need to be in place first to keep the business running. It is important that a DRP is not driven by the IT team, who may not understand the impact of loss of certain systems on the running of the business. In developing a plan you should pull together representatives of all areas of the business who can present the likely risks / challenges. Consider the likelihood of a particular type of disaster and plan accordingly. For instance, do you have neighbours who present a particular hazard? It is essential to gain buy in from senior management to the plan. Finally, agree which staff are critical in the first instance to keeping essential elements of the business running.
If you have a reciprocal arrangement with a neighbouring company to hold back up data, is there a recommended minimum distance they should be from you? This depends very much upon the type of disaster you are likely to be protecting against. If you are both very close to a fuel storage depot, or under the flight path of a busy airport, geographic distance is important. If the most likely disaster is theft, then proximity is much less of an issue. You need to carry out a risk assessment of the likely events which could affect your business continuity before making a judgement on this.
Is a DRP just about addressing IT issues? No; it should be stressed that disaster recovery is not just an IT issue; it is a people issue. Communication is key. Be sure that staff know the detail of the plan and have been fully trained on its implementation. Staff also need to know what the triggers are for activation of a DRP and who has authority to implement it. It makes sense to ensure those responsible for the plan are not just the top executives, who may be engaged elsewhere.
Do you have any recommendations on communication with staff? Management of information is essential. For example, contact addresses for all staff should be kept off site so they can be reached in an emergency. Even if they are not key to the recovery effort it is very important for morale to keep them in touch with what is happening. Directing communications externally also prevents panic inbound traffic which may clog up communication systems. One suggestion is to issue staff with a credit card sized information sheet with details of key contacts to communicate with in the event of an emergency. Another is to have text messaging set up to inform all employees of the status of events at regular intervals. Remember to communicate with all staff; including the 'non critical' staff left at home! Involve everyone in the rebuilding of the business as a team building exercise - often staff on the ground have ideas about how to make a business run even better.
Is a disaster recovery plan essential if we have business interruption insurance? It is important to be clear that if processes to prevent and deal with disaster are not in place, you may not be covered by insurance. Check exemption clauses and the timescales for which cover applies very carefully. A 12 month indemnity is common, but 18 months is much more realistic. Even if you are covered you have the immediate problem of getting the business back to a state where it can trade. Many businesses don't recover from disaster because they haven't planned for continuity and by the time they are back up and running, customers have gone elsewhere.
What are the practical problems we are most likely to face in an emergency? The main one is often of access to premises. Even if your company has not been affected, a local emergency may mean the area is evacuated and you are unable to access your building. The power of local authorities/police is very strong in civil contingences and it is worth understanding in advance what constraints this may place on your business. For example, at the Buncefield depot the emergency services threw an immediate cordon around the area and prevented any access for any reason whatsoever for some time, for safety reasons. Therefore, if you leave back up tapes on site you could find you are not able to access them if a disaster occurs. Another issue can be communication - it is not uncommon for cell networks to be closed down by authorities, or to fail through overload. One answer to this could be remote hosting of a website well out of area (or country) to be used as a vehicle for communication with staff/customers.
How does my quality management system tie in with a DRP? The information that you are required by your QMS to record can be vital to business continuity and you should look at what data this can feed into your DRP. For example, home addresses of staff, where spares for your systems are kept, which are key customers and their contact details, suppliers etc. All of this information is crucial to disaster recovery and is often readily available to you through existing data capture.
|
 |
